andytanoko / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

logSpecial assumes logging has not been manually set #58

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.  call ESAPI.setLogFactory to set a LogFactory Programmatically.
2.  call ESAPI.securityConfiguration()

What is the expected output? What do you see instead?
I would expect the output from the constructor of 
DefaultSecurityConfiguration to log according to whatever configuration my 
factory provides.  Instead, it should log using the factory if it has 
already been configured.

What version of the product are you using? On what operating system?
Found in 1.4, confirmed in 2.0rc4

Please provide any additional information below.
DefaultSecurityConfiguration probably shouldn't check to see if a factory 
is set in the logSpecial method, because then we may get half logged to 
System.out and half to a log file.  A flag should be set in the 
constructor, and then reset when getLogImplementation is called, or some 
similar trigger.

Original issue reported on code.google.com by rob.spre...@gmail.com on 12 Nov 2009 at 10:17

GoogleCodeExporter commented 9 years ago
I'm fine with setting this to Low Priority, buy I'm not sure how.

Original comment by rob.spre...@gmail.com on 12 Nov 2009 at 10:18

GoogleCodeExporter commented 9 years ago
Changed to low priority and scheduled for 2.1

Original comment by chrisisbeef on 2 Dec 2009 at 7:32

GoogleCodeExporter commented 9 years ago

Original comment by chrisisbeef on 20 Nov 2010 at 9:52

GoogleCodeExporter commented 9 years ago
This is still needed.  Given the changes in 2.0 to the loading, the initial 
setup is no longer valid, as you can't set a logFactory any longe before 
loading the security configuration.  The solution to this should also address 
that problem.

Original comment by rob.spre...@gmail.com on 19 Jul 2011 at 1:56

GoogleCodeExporter commented 9 years ago
why do we still see System.out.println instead of loggers. it would be good to 
use java.util.logging instead of using Sysouts, if you won't prefer 
slf4j/log4j. 

something like this

use static variable
public class DefaultSecurityConfiguration implements SecurityConfiguration {
   private static  java.util.logging.Logger log = java.util.logging.Logger.getLogger(DefaultSecurityConfiguration.class.getName());
 ........
   private void logSpecial(String message) {
        log.log(Level.FINE, message);
    }
....
}

Original comment by r.nagesh...@gmail.com on 2 May 2014 at 8:39

GoogleCodeExporter commented 9 years ago
This should be using at a minimum the jdk1.4 logger framework. As it stands 
currently, I've got a production application, that once a quarter, I get some 
complaint after a restart with regard to the loading of the ESAPI.properties 
error messages emitted from DefaultSecurityConfiguration to System.out. There 
is no way to override this behavior nor is there a mechanism to route this to a 
specific log file.  This issue has been open for well over 5 years and should 
have been addressed with the 2.1.0 release.

If there is another reason why this has not addressed, please provide reasoning 
to keep it outputting to System.out/System.err.

Original comment by djgraff...@gmail.com on 13 Apr 2015 at 1:56