Add documentation about a good way to disable masking during debugging

[digulla]

The masking of information is great when the system is running flawlessly in production but sometimes, the provided information is crucial to track down the source of a bug.

In my case, I'd like to protect passwords and JWT tokens.

But I also need a way to see them in the logs when a problem comes up.

Discussion of possible solutions:

• System property. Easy to implement, too easy to tamper with, even at runtime and even when the value of the property is copied into a final variable because you can call setFinal(false) on the field at runtime.
  The same applies to using logback variables to build the log pattern.
• Existence of a file owned by an admin / root and not modifiable by the current user. Rationale: If the attacker is an admin already, the fight is already lost. Drawback: It's pretty easy to check for root ownership and modification flags on Linux with Java 8+ but how can we do the same on Windows? Or Mac? Another advantage: The library can check the file for every log statement, so this would allow to disable masking, test, enable masking.
• Provide a plugin API that allows developers to come up with a suitable solution. Drawback: This isn't a solution, it just allows a solution. So people will come up with all kinds of broken ways to do this, making the effort somewhat futile.