Objective
Use Contrast Protect to identify applications in your portfolio which use Spring auto-binding.
Process
Contrast Protect includes the ability to create log enhancers. These are instrumentation instructions that allow the Contrast agent to log additional parameters and data in the application, without requiring any source code changes.
In order to apply a log enhancer which detects the use of Spring auto-binding:
-
Follow instructions at this docs page to set up a new log enhancer.
-
In the API field, enter:
org.springframework.web.bind.WebDataBinder.doBind(org.springframework.beans.MutablePropertyValues)
-
In the Format field, enter
Spring Autobinding Detected
. There isn't anything in the method parameter, binder, etc that could make the log entry more useful for its intended purpose of identifying which applications use Spring autobinding, so we don't recommend attempting to parameterize the Format field. -
For Log Type, select
SECURITY
. -
For Log Level, select
WARN
.
-
- Once the log enhancer is set up, the log enhancer will be enabled following the next agent restart.
Pulling the resulting information out of your security.log file will vary, depending on how you consume logs. In general, filter all logs for Contrast
Agent Java
and Autobinding Detected
, then group by app to get the list of all potentially affected applications.