Improving logging in Krb5LoginModule
Wei-Jun Wang
weijun.wang at oracle.com
Sun Mar 10 16:01:10 UTC 2024
Hi Seán,
I know you are working on enhancing the security debug output with timestamps and thread info now. Do you think it can also cover Kerberos?
Traditionally, Kerberos debugging is independent of other security areas and itself is quite complicated. It includes the "debug" label in JAAS LoginModule (as Peter pointed out below) and separate system properties like sun.security.krb5.debug, sun.security.jgss.debug, sun.security.nativegss.debug, and sun.security.spnego.debug. It will be definitely great if they can enjoy the enhancement of sun.security.util.Debug.
BTW, Peter also mentioned a JUL logger. IIUC, our current debug messages are only sent to System.err, right?
Thanks,
Weijun
> On Mar 9, 2024, at 4:15 PM, Horváth Péter Gergely <horvath.peter.gergely at gmail.com> wrote:
>
> Dear All,
>
> In the past, I had issues with debug logging in Krb5LoginModule: if debug is enabled,
> messages are simply written to the stdout. It is relatively hard to correlate these
> messages with application logs, as there are no timestamps for Krb5LoginModule output messages.
>
> Imagine a server fails to service a request, due to its failure to communicate with
> another Kerberized server. The failure itself will be logged properly, but there is no way
> for an operator to easily find and correlate Krb5LoginModule debug output.
> (We are talking about servers unders heavy load)
>
> I think debug logging in Krb5LoginModule should be improved; e.g. at least, messages
> should be sent to both stdout and a JUL logger maybe?
>
> I would be happy to implement the code change if someone is willing to sponsor this issue.
>
> Could someone please help here?
>
> Thanks,
> Peter
More information about the security-dev
mailing list