[Esapi-user] Console Logging

Fri Dec 3 12:54:51 EST 2010

Thanks Jim and Chris.

Chris, your second solution would solve all of my current requirements without having to hack up my code too much.

Jim, redrecting System.out does work, but I only want to redirect it for uninitialized esapi calls, not for my calls to System.out. As a workaround this is what I'm currently doing; and it's ugly...

- record default printstream for System.out and System.err to static variables.
- redirect System.out and System.err to log4j
- load and initialize esapi
- put the original System.out & System.err printstreams back

________________________________

From: Jim Manico <jim.manico at owasp.org> <mailto:jim.manico at owasp.org> 
Sent: Fri, 3 Dec 2010 11:42:55 -0600
To: Chris Schmidt <chris.schmidt at owasp.org> <mailto:chris.schmidt at owasp.org> 
Cc: Springett Steven <sspringett at us.axway.com> <mailto:sspringett at us.axway.com> , ESAPI Users <esapi-user at lists.owasp.org> <mailto:esapi-user at lists.owasp.org> 
Subject: Re: [Esapi-user] Console Logging

	Chris,

	This is overly complex. In the short term, I'd recommend just redirecting System.out and System.err to your logger. You can do this without touching the ESAPI code. In fact, I think this is the final solution so we can close this issue. See:

	http://edivad.wordpress.com/2007/02/26/systemout-and-systemerr-over-log4j/ 

	For more information.

	-Jim Manico 
	http://manico.net

	On Dec 3, 2010, at 11:24 AM, Chris Schmidt <chris.schmidt at owasp.org> <mailto:chris.schmidt at owasp.org>  wrote:

		There is no mechanism for doing this at the current time, however – it would seem this would be a fairly standard request (at least to just be able to disable the console logging at startup) 

		Would it be acceptable to disable console logging with an option passed into such as 

		-Desapi.logspecial.enabled=false

		I think we will want this enabled by default, but I agree that there should be a means to turn it off. 

		As for redirecting the output to another logger – it would be possible but it would have to be code that you wrote. Since the logSpecial methods are currently private you would have to write your own implementation. However, it would probably make sense to make the logSpecial methods protected so that a custom implementation could be written which redirects logSpecial calls to some other logger.

		You could do something like this:

		Public class MySecurityConfiguration extends DefaultSecurityConfiguration {
		   @Override
		   protected void logSpecial(String message) {
		      MyLogger.logMessage(message);
		   }

		   @Override
		   protected void logSpecial(String message, Exception e) {
		      MyLogger.logError(e, message);
		   }
		}

		This would be a simple change to make – but like I said, it is dependent on the logSpecial methods being changed to protected scope since they are currently private.

		Either way, to implement this will require changes to the ESAPI DefaultSecurityConfiguration class – can you add your request to the google code issue tracker so we can vote and discuss there?

		On 12/3/10 9:49 AM, "Springett Steven" <sspringett at us.axway.com> wrote:

			  I'm having an issue with logging in esapi.

			 When my application is starting up, it initializes it's logging and does other things, then it loads esapi. The esapi logger is not initialized yet so it dumps a bunch of logging messages to System.out via the logSpecial() method.

			 What I would like is a way to configure esapi to disable console logging or to redirect console logging to another type of object which then could be used by my application that already has it's loggings system initialized.

			 This is the issue that I'm currently having. My server is a console-based app. Startup should look like this:

			 MyApp Service Starting
			   License successfully validated
			   Loading database schemas
			     Database schema being created or updated for MyApp
			 Finished loading database schemas
			 MyApp Service Started

			 Instead, it looks like this:

			 MyApp Service Starting
			   License successfully validated
			   Loading database schemas
			     Database schema being created or updated for MyApp
			 Finished loading database schemas
			 Attempting to load ESAPI.properties via file io.
			 Attempting to load ESAPI.properties via file io.
			 Found in 'org.owasp.esapi.resources' directory: C:\MyApp\conf\esapi\ESAPI.properties
			 Loaded 'ESAPI.properties' properties file
			 Attempting to load validation.properties via file io.
			 Attempting to load validation.properties via file io.
			 Found in 'org.owasp.esapi.resources' directory: C:\MyApp\conf\esapi\validation.properties
			 Loaded 'validation.properties' properties file
			 MyApp Service Started

			 Redirecting System.out and System.err to log4j (what my app uses) prior to esapi loading solves this issue, the problem then is that the last line "MyApp Service Started" never appears, which is critical.

			 --Steve

________________________________

			_______________________________________________
			Esapi-user mailing list
			Esapi-user at lists.owasp.org
			https://lists.owasp.org/mailman/listinfo/esapi-user

		Chris Schmidt
		ESAPI Project Manager (http://www.esapi.org)
		ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
		Blog: http://yet-another-dev.blogspot.com

		_______________________________________________
		Esapi-user mailing list
		Esapi-user at lists.owasp.org
		https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101203/38b9ca4a/attachment.html 