On Wed, 6 Mar 2024 16:52:42 GMT, Bernd <d...@openjdk.org> wrote:
>> Proposal to improve the `java.security.debug` output so that options exist
>> to add thread ID, thread name, source of log record and a timestamp
>> information to the output.
>>
>> examples:
>> format without patch :
>>
>>
>> properties: Initial security property:
>> package.definition=sun.misc.,sun.reflect.
>> properties: Initial security property: krb5.kdc.bad.policy=tryLast
>> keystore: Creating a new keystore in PKCS12 format
>>
>>
>> format with thread info included:
>>
>>
>> properties[10|main|Security.java:122]: Initial security property:
>> package.definition=sun.misc.,sun.reflect.
>> properties[10|main|Security.java:122]: Initial security property:
>> krb5.kdc.bad.policy=tryLast
>> keystore[10|main|KeyStoreDelegator.java:216]: Creating a new keystore in
>> PKCS12 format
>>
>>
>> format with thread info and timestamp:
>>
>>
>> properties[10|main|Security.java:122|2024-03-01 14:59:42.859 UTC]: Initial
>> security property: package.definition=sun.misc.,sun.reflect.
>> properties[10|main|Security.java:122|2024-03-01 14:59:42.859 UTC]: Initial
>> security property: krb5.kdc.bad.policy=tryLast
>>
>>
>> It's a similar format to what can be seen when the TLS (javax.net.debug)
>> debug logging option is in use
>>
>> current proposal is to keep the thread and timestamp information off (make
>> it opt in)
>>
>> The extra decorator info is controlled by appending option to each component
>> specified in the `"java.security.debug"` option list.
>>
>> e.g
>>
>> `-Djava.security.debug=properties+timestamp+thread` turns on logging for the
>> `properties` component and also decorates the records with timestamp and
>> thread info
>>
>> -Djava.security.debug=properties+thread+timestamp,keystore would decorate
>> the `properties` component but no decorating performed for the `keystore
>> `component.
>
> src/java.base/share/classes/sun/security/util/Debug.java line 211:
>
>> 209: public void println()
>> 210: {
>> 211: System.err.println(prefix + ":");
>
> While we are her we could switch to Platfom logger, that also removes the
> need for timestamps (and thread info)
I'm thinking along the same lines. the` javax.net.debug` property (TLS) already
allows the use of `System Logger`. I'd be interested to hear from anyone who
uses that Logger, by passing no args to `javax.net.debug`. No reason why this
(java.security.debug) code couldn't be updated also. I'd like to do this in a
follow on (hoping to backport this patch to LTS update releases)
I think the Logger experience could do with tweaking also - something I spoke
briefly about at the recent OpenJDK Committers' Workshop in Brussels. One
option might be a mechanism where the Logger `Level` can be dialed up and down
remotely (e.g. jconsole). I've been looking at this with the
`PlatformLoggingMXBean.setLoggerLevel `operation.
> src/java.base/share/classes/sun/security/util/Debug.java line 304:
>
>> 302: }
>> 303:
>> 304: // copied from sun/security/ssl/Utilities.java for now
>
> Why own helper, string.format(%x) can build the whole string or call
> Long.toHexString() or toString(,16)?
I was emulating what's done for the TLS logging code. Yes - I'll look at using
a JDK library method instead.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18084#discussion_r1515092699
PR Review Comment: https://git.openjdk.org/jdk/pull/18084#discussion_r1515082479
