Masking sensitive information when logging from IClientMessageInspector

Question

I'm using WCF (.NET 3.5) to communicate with a server using SOAP. When running in debug mode, I use System.ServiceMode.Dispatcher.IClientMessageInspector and log4Net to log the request content.

public object BeforeSendRequest(ref Message request, IClientChannel channel)
{
    log.Debug(request); 
}

My difficulty is that sometimes the SOAP message contains authentication information that I must mask before writing to the logs e.g. in the following example I would like to log the password element as <password>**********</password>

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"&gt;
    <s:Header>
        <Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none"&gt;http://service.soap.host.com/credentials&lt;/Action&gt;
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;
        <credentials xmlns="http://service..soap.host.com/credentials"&gt;
            <username>MyUsername</username>
            <password>MyPassword</password>
        </credentials>
    </s:Body>
</s:Envelope>

I'm able to achieve this in a crude way using regular expression matching on the output of request.ToString() but I wonder if there's a more elegant and efficient approach that will allow me to modify the value of the password element before converting the message to a string.

Answer 1

No simple way for this, except if you make sure you NEVER send credentials that way (there are many ways to send tokens instead of the actual credential).

If you're passing these information only to log on to your service, you should use SSL anyway. If that's the case, your MessageInspector could check if the current binding uses SSL or transport security and if that's the case, does not log anything.

As an aside, if you want to log messages in development, you'd be better off leveraging the WCF tracing infrastructure instead of doing the low level tracing yourself (that way you don't have to add inspectors in debug mode). See http://msdn.microsoft.com/en-us/library/ms732023.aspx for more info about built-in WCF activity and message tracing.