[Esapi-user] Console Logging

Chris Schmidt chris.schmidt at owasp.org
Fri Dec 3 12:58:51 EST 2010 

Jim ­ I don¹t think making the logSpecial methods protected is complex at
all and provides the most flexibility.


On 12/3/10 10:54 AM, "Springett Steven" <sspringett at us.axway.com> wrote:

>    Thanks Jim and Chris.
>  
>  Chris, your second solution would solve all of my current requirements
> without having to hack up my code too much.
>  
>  Jim, redrecting System.out does work, but I only want to redirect it for
> uninitialized esapi calls, not for my calls to System.out. As a workaround
> this is what I'm currently doing; and it's ugly...
>  
>  - record default printstream for System.out and System.err to static
> variables.
>  - redirect System.out and System.err to log4j
>  - load and initialize esapi
>  - put the original System.out & System.err printstreams back
>  
>   
> 
> From: Jim Manico <jim.manico at owasp.org> <mailto:jim.manico at owasp.org>
>  Sent: Fri, 3 Dec 2010 11:42:55 -0600
>  To: Chris Schmidt <chris.schmidt at owasp.org> <mailto:chris.schmidt at owasp.org>
>  Cc: Springett Steven <sspringett at us.axway.com>
> <mailto:sspringett at us.axway.com> , ESAPI Users <esapi-user at lists.owasp.org>
> <mailto:esapi-user at lists.owasp.org>
>  Subject: Re: [Esapi-user] Console Logging
>  
>   
>>  
>> Chris,
>>  
>>  
>>  
>> This is overly complex. In the short term, I'd recommend just redirecting
>> System.out and System.err to your logger. You can do this without touching
>> the ESAPI code. In fact, I think this is the final solution so we can close
>> this issue. See:
>>  
>> 
>>  
>>  http://edivad.wordpress.com/2007/02/26/systemout-and-systemerr-over-log4j/
>> 
>>  
>>  
>> For more information.
>>  
>> 
>>  -Jim Manico 
>> http://manico.net
>>  
>>  
>> 
>>  On Dec 3, 2010, at 11:24 AM, Chris Schmidt <chris.schmidt at owasp.org>
>> <mailto:chris.schmidt at owasp.org>  wrote:
>>  
>>  
>>  
>>>  
>>>  There is no mechanism for doing this at the current time, however ­ it
>>> would seem this would be a fairly standard request (at least to just be able
>>> to disable the console logging at startup)
>>>  
>>>  Would it be acceptable to disable console logging with an option passed
>>> into such as 
>>>  
>>>  -Desapi.logspecial.enabled=false
>>>  
>>>  I think we will want this enabled by default, but I agree that there should
>>> be a means to turn it off.
>>>  
>>>  As for redirecting the output to another logger ­ it would be possible but
>>> it would have to be code that you wrote. Since the logSpecial methods are
>>> currently private you would have to write your own implementation. However,
>>> it would probably make sense to make the logSpecial methods protected so
>>> that a custom implementation could be written which redirects logSpecial
>>> calls to some other logger.
>>>  
>>>  You could do something like this:
>>>  
>>>  Public class MySecurityConfiguration extends DefaultSecurityConfiguration {
>>>     @Override
>>>     protected void logSpecial(String message) {
>>>        MyLogger.logMessage(message);
>>>     }
>>>  
>>>     @Override
>>>     protected void logSpecial(String message, Exception e) {
>>>        MyLogger.logError(e, message);
>>>     }
>>>  }
>>>  
>>>  This would be a simple change to make ­ but like I said, it is dependent on
>>> the logSpecial methods being changed to protected scope since they are
>>> currently private.
>>>  
>>>  Either way, to implement this will require changes to the ESAPI
>>> DefaultSecurityConfiguration class ­ can you add your request to the google
>>> code issue tracker so we can vote and discuss there?
>>>  
>>>  On 12/3/10 9:49 AM, "Springett Steven" <sspringett at us.axway.com> wrote:
>>>  
>>>   
>>>>    I'm having an issue with logging in esapi.
>>>>   
>>>>   When my application is starting up, it initializes it's logging and does
>>>> other things, then it loads esapi. The esapi logger is not initialized yet
>>>> so it dumps a bunch of logging messages to System.out via the logSpecial()
>>>> method.
>>>>   
>>>>   What I would like is a way to configure esapi to disable console logging
>>>> or to redirect console logging to another type of object which then could
>>>> be used by my application that already has it's loggings system
>>>> initialized.
>>>>   
>>>>   This is the issue that I'm currently having. My server is a console-based
>>>> app. Startup should look like this:
>>>>   
>>>>   
>>>>   MyApp Service Starting
>>>>     License successfully validated
>>>>     Loading database schemas
>>>>       Database schema being created or updated for MyApp
>>>>     Finished loading database schemas
>>>>   MyApp Service Started
>>>>   
>>>>   Instead, it looks like this:
>>>>   
>>>>   MyApp Service Starting
>>>>     License successfully validated
>>>>     Loading database schemas
>>>>       Database schema being created or updated for MyApp
>>>>     Finished loading database schemas
>>>>   Attempting to load ESAPI.properties via file io.
>>>>   Attempting to load ESAPI.properties via file io.
>>>>   Found in 'org.owasp.esapi.resources' directory:
>>>> C:\MyApp\conf\esapi\ESAPI.properties
>>>>   Loaded 'ESAPI.properties' properties file
>>>>   Attempting to load validation.properties via file io.
>>>>   Attempting to load validation.properties via file io.
>>>>   Found in 'org.owasp.esapi.resources' directory:
>>>> C:\MyApp\conf\esapi\validation.properties
>>>>   Loaded 'validation.properties' properties file
>>>>   MyApp Service Started
>>>>   
>>>>   
>>>>   Redirecting System.out and System.err to log4j (what my app uses) prior
>>>> to esapi loading solves this issue, the problem then is that the last line
>>>> "MyApp Service Started" never appears, which is critical.
>>>>   
>>>>   --Steve
>>>>   
>>>> 
>>>> _______________________________________________
>>>>  Esapi-user mailing list
>>>>  Esapi-user at lists.owasp.org
>>>>  https://lists.owasp.org/mailman/listinfo/esapi-user
>>>>  
>>>  
>>>  Chris Schmidt
>>>  ESAPI Project Manager (http://www.esapi.org)
>>>  ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>>>  Blog: http://yet-another-dev.blogspot.com
>>>  
>>>   
>>>  
>>  
>>>  
>>> _______________________________________________
>>>  Esapi-user mailing list
>>>  Esapi-user at lists.owasp.org
>>>  https://lists.owasp.org/mailman/listinfo/esapi-user
>>>  
>>>  
>>  
>  

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101203/3bd170ab/attachment.html

More information about the Esapi-user mailing list