[Esapi-dev] ESAPI Logging API
augustd
augustd at codemagi.com
Wed Sep 22 19:35:57 EDT 2010
Should the Logger Interfaces include logging methods that conform to the
log4j API and do not require you to specify a EventType? For example, it
would have debug(String) in addition to debug(EventType, String).
The default behavior would be to have debug(String) forward processing to
debug(EventType, String) with a null EventType so you still can take
advantage of the ESAPI log injection protection, log the user's IP address,
etc.
This might help with adoption. Consider the case where a company has
hundreds of thousands of lines of code and perhaps thousands of log
statements. Most of them are most likely really just debug statements and
not security 'events'. It would be prohibitive for a developer to have to go
back and retrofit each of these statements with an EventType just to get the
code to compile. They could still instrument the legacy code with real
security events where that is most warranted and use the full API for new
development.
Thoughts?
-August
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100922/e6d5b5e8/attachment.html
More information about the Esapi-dev
mailing list