Hi Seán, I know you are working on enhancing the security debug output with timestamps and thread info now. Do you think it can also cover Kerberos?
Traditionally, Kerberos debugging is independent of other security areas and itself is quite complicated. It includes the "debug" label in JAAS LoginModule (as Peter pointed out below) and separate system properties like sun.security.krb5.debug, sun.security.jgss.debug, sun.security.nativegss.debug, and sun.security.spnego.debug. It will be definitely great if they can enjoy the enhancement of sun.security.util.Debug. BTW, Peter also mentioned a JUL logger. IIUC, our current debug messages are only sent to System.err, right? Thanks, Weijun > On Mar 9, 2024, at 4:15 PM, Horváth Péter Gergely > <horvath.peter.gerg...@gmail.com> wrote: > > Dear All, > > In the past, I had issues with debug logging in Krb5LoginModule: if debug is > enabled, > messages are simply written to the stdout. It is relatively hard to correlate > these > messages with application logs, as there are no timestamps for > Krb5LoginModule output messages. > > Imagine a server fails to service a request, due to its failure to > communicate with > another Kerberized server. The failure itself will be logged properly, but > there is no way > for an operator to easily find and correlate Krb5LoginModule debug output. > (We are talking about servers unders heavy load) > > I think debug logging in Krb5LoginModule should be improved; e.g. at least, > messages > should be sent to both stdout and a JUL logger maybe? > > I would be happy to implement the code change if someone is willing to > sponsor this issue. > > Could someone please help here? > > Thanks, > Peter
