RFR: 8051959: Option to print thread information in java.security.debug output
Sean Coffey
coffeys at openjdk.org
Wed Mar 6 20:10:49 UTC 2024
On Wed, 6 Mar 2024 16:52:42 GMT, Bernd <duke at openjdk.org> wrote:
>> Proposal to improve the `java.security.debug` output so that options exist to add thread ID, thread name, source of log record and a timestamp information to the output.
>>
>> examples:
>> format without patch :
>>
>>
>> properties: Initial security property: package.definition=sun.misc.,sun.reflect.
>> properties: Initial security property: krb5.kdc.bad.policy=tryLast
>> keystore: Creating a new keystore in PKCS12 format
>>
>>
>> format with thread info included:
>>
>>
>> properties[10|main|Security.java:122]: Initial security property: package.definition=sun.misc.,sun.reflect.
>> properties[10|main|Security.java:122]: Initial security property: krb5.kdc.bad.policy=tryLast
>> keystore[10|main|KeyStoreDelegator.java:216]: Creating a new keystore in PKCS12 format
>>
>>
>> format with thread info and timestamp:
>>
>>
>> properties[10|main|Security.java:122|2024-03-01 14:59:42.859 UTC]: Initial security property: package.definition=sun.misc.,sun.reflect.
>> properties[10|main|Security.java:122|2024-03-01 14:59:42.859 UTC]: Initial security property: krb5.kdc.bad.policy=tryLast
>>
>>
>> It's a similar format to what can be seen when the TLS (javax.net.debug) debug logging option is in use
>>
>> current proposal is to keep the thread and timestamp information off (make it opt in)
>>
>> The extra decorator info is controlled by appending option to each component specified in the `"java.security.debug"` option list.
>>
>> e.g
>>
>> `-Djava.security.debug=properties+timestamp+thread` turns on logging for the `properties` component and also decorates the records with timestamp and thread info
>>
>> -Djava.security.debug=properties+thread+timestamp,keystore would decorate the `properties` component but no decorating performed for the `keystore `component.
>
> src/java.base/share/classes/sun/security/util/Debug.java line 211:
>
>> 209: public void println()
>> 210: {
>> 211: System.err.println(prefix + ":");
>
> While we are her we could switch to Platfom logger, that also removes the need for timestamps (and thread info)
I'm thinking along the same lines. the` javax.net.debug` property (TLS) already allows the use of `System Logger`. I'd be interested to hear from anyone who uses that Logger, by passing no args to `javax.net.debug`. No reason why this (java.security.debug) code couldn't be updated also. I'd like to do this in a follow on (hoping to backport this patch to LTS update releases)
I think the Logger experience could do with tweaking also - something I spoke briefly about at the recent OpenJDK Committers' Workshop in Brussels. One option might be a mechanism where the Logger `Level` can be dialed up and down remotely (e.g. jconsole). I've been looking at this with the `PlatformLoggingMXBean.setLoggerLevel `operation.
> src/java.base/share/classes/sun/security/util/Debug.java line 304:
>
>> 302: }
>> 303:
>> 304: // copied from sun/security/ssl/Utilities.java for now
>
> Why own helper, string.format(%x) can build the whole string or call Long.toHexString() or toString(,16)?
I was emulating what's done for the TLS logging code. Yes - I'll look at using a JDK library method instead.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18084#discussion_r1515092699
PR Review Comment: https://git.openjdk.org/jdk/pull/18084#discussion_r1515082479
More information about the security-dev
mailing list