|
16 | 16 | package org.owasp.esapi; |
17 | 17 |
|
18 | 18 | /** |
19 | | - * The Logger interface defines a set of methods that can be used to log |
| 19 | + * The {@code Logger} interface defines a set of methods that can be used to log |
20 | 20 | * security events. It supports a hierarchy of logging levels which can be configured at runtime to determine |
21 | 21 | * the severity of events that are logged, and those below the current threshold that are discarded. |
22 | 22 | * Implementors should use a well established logging library |
23 | 23 | * as it is quite difficult to create a high-performance logger. |
24 | | - * <P> |
| 24 | + * <p> |
25 | 25 | * The logging levels defined by this interface (in descending order) are: |
26 | 26 | * <ul> |
27 | 27 | * <li>fatal (highest value)</li> |
|
33 | 33 | * </ul> |
34 | 34 | * There are also several variations of {@code always()} methods that will <i>always</i> |
35 | 35 | * log a message regardless of the log level. |
36 | | - * <p> |
| 36 | + * </p><p> |
37 | 37 | * ESAPI also allows for the definition of the type of log event that is being generated. |
38 | | - * The Logger interface predefines 6 types of Log events: |
| 38 | + * The {@code Logger} interface predefines 6 types of Log events: |
39 | 39 | * <ul> |
40 | 40 | * <li>SECURITY_SUCCESS</li> |
41 | 41 | * <li>SECURITY_FAILURE</li> |
|
44 | 44 | * <li>EVENT_FAILURE</li> |
45 | 45 | * <li>EVENT_UNSPECIFIED</li> |
46 | 46 | * </ul> |
47 | | - * <p> |
48 | | - * Your implementation can extend or change this list if desired. |
49 | | - * <p> |
50 | | - * This Logger allows callers to determine which logging levels are enabled, and to submit events |
| 47 | + * </p><p> |
| 48 | + * Your custom implementation can extend or change this list if desired. |
| 49 | + * </p><p> |
| 50 | + * This {@code Logger} allows callers to determine which logging levels are enabled, and to submit events |
51 | 51 | * at different severity levels.<br> |
52 | 52 | * <br>Implementors of this interface should: |
53 | 53 | * |
54 | 54 | * <ol> |
55 | | - * <li>provide a mechanism for setting the logging level threshold that is currently enabled. This usually works by logging all |
| 55 | + * <li>Provide a mechanism for setting the logging level threshold that is currently enabled. This usually works by logging all |
56 | 56 | * events at and above that severity level, and discarding all events below that level. |
57 | 57 | * This is usually done via configuration, but can also be made accessible programmatically.</li> |
58 | | - * <li>ensure that dangerous HTML characters are encoded before they are logged to defend against malicious injection into logs |
| 58 | + * <li>Ensure that dangerous HTML characters are encoded before they are logged to defend against malicious injection into logs |
59 | 59 | * that might be viewed in an HTML based log viewer.</li> |
60 | | - * <li>encode any CRLF characters included in log data in order to prevent log injection attacks.</li> |
61 | | - * <li>avoid logging the user's session ID. Rather, they should log something equivalent like a |
| 60 | + * <li>Encode any CRLF characters included in log data in order to prevent log injection attacks.</li> |
| 61 | + * <li>Avoid logging the user's session ID. Rather, they should log something equivalent like a |
62 | 62 | * generated logging session ID, or a hashed value of the session ID so they can track session specific |
63 | 63 | * events without risking the exposure of a live session's ID.</li> |
64 | | - * <li>record the following information with each event:</li> |
| 64 | + * <li>Record the following information with each event:</li> |
65 | 65 | * <ol type="a"> |
66 | | - * <li>identity of the user that caused the event,</li> |
67 | | - * <li>a description of the event (supplied by the caller),</li> |
68 | | - * <li>whether the event succeeded or failed (indicated by the caller),</li> |
69 | | - * <li>severity level of the event (indicated by the caller),</li> |
70 | | - * <li>that this is a security relevant event (indicated by the caller),</li> |
71 | | - * <li>hostname or IP where the event occurred (and ideally the user's source IP as well),</li> |
72 | | - * <li>a time stamp</li> |
| 66 | + * <li>Identity of the user that caused the event.</li> |
| 67 | + * <li>A description of the event (supplied by the caller).</li> |
| 68 | + * <li>Whether the event succeeded or failed (indicated by the caller).</li> |
| 69 | + * <li>Severity level of the event (indicated by the caller).</li> |
| 70 | + * <li>That this is a security relevant event (indicated by the caller).</li> |
| 71 | + * <li>Hostname or IP where the event occurred (and ideally the user's source IP as well).</li> |
| 72 | + * <li>A date/time stamp.</li> |
73 | 73 | * </ol> |
74 | 74 | * </ol> |
75 | 75 | * |
76 | 76 | * Custom logger implementations might also: |
77 | 77 | * <ol start="6"> |
78 | | - * <li>filter out any sensitive data specific to the current application or organization, such as credit cards, |
| 78 | + * <li>Filter out any sensitive data specific to the current application or organization, such as credit cards, |
79 | 79 | * social security numbers, etc.</li> |
80 | 80 | * </ol> |
81 | 81 | * |
82 | | - * There are both Log4j and native Java Logging default implementations. JavaLogger uses the java.util.logging package as the basis for its logging |
83 | | - * implementation. Both default implementations implements requirements #1 thru #5 above.<br> |
84 | | - * <br> |
85 | | - * Customization: It is expected that most organizations will implement their own custom Logger class in |
86 | | - * order to integrate ESAPI logging with their logging infrastructure. The ESAPI Reference Implementation |
87 | | - * is intended to provide a simple functional example of an implementation. |
| 82 | + * There are both SLF4J and native Java Logging (i.e., {@code java.util.logging}, aka JUL) implementations |
| 83 | + * of the ESAPI logger with JUL being our default logger for our stock <b>ESAPI.properties</b> file that |
| 84 | + * is delivered along with ESAPI releases in a separate <b>esapi-configuration</b> jar available from the |
| 85 | + * releases mentioned on |
| 86 | + * <a href="https://github.com/ESAPI/esapi-java-legacy/releases/">ESAPI's GitHub Releases page</a>. |
| 87 | + * </p><p> |
| 88 | + * The {@code org.owasp.esapi.logging.java.JavaLogger} class uses the {@code java.util.logging} package as |
| 89 | + * the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above. |
| 90 | + * </p><p> |
| 91 | + * <i>Customization</i>: It is expected that most organizations may wish to implement their own custom {@code Logger} class in |
| 92 | + * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations |
| 93 | + * can serve as a useful starting point to intended to provide a simple functional example of an implementation, but |
| 94 | + * they are also largely usuable out-of-the-box with some additional minimal log configuration. |
88 | 95 | * |
89 | 96 | * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a |
90 | 97 | * href="http://www.aspectsecurity.com">Aspect Security</a> |
|
0 commit comments