I’m working on a maven project that has dependencies to large libraries. There are lots of transitive dependencies and they do not follow any conventions. I can not change any source code of the libraries. Let’s simply call them third-party legacy libraries.
What is the best way to do the logging?
My research got me to the conclusion to use either SLF4J API or Log4j2 API. See https://logging.apache.org/log4j/2.0/faq.html#api-tradeoffs
However, I’m not sure how to clean up the mess originating from the third-party libraries.
They use all kind of (legacy) Logging Libraries (JUL, Log4j v1, Apache Commons Logging JCL, etc.).
Those libraries are used in different versions.
I know that you can Bridge legacy APIs: https://www.slf4j.org/legacy.html But how do I know which bridge I need when there’s such a mess?
At the moment, I added the following dependencies:
<dependency> <!-- Facade for logging systems -->
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.1</version>
</dependency>
<dependency> <!-- actual logging implementation -->
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
Logging something in my project is easy:
Logger logger = LogManager.getLogger(ConfigurationService.class)
logger.info("Initializing…");
Is there any easy way to make sure all logging libraries get bridged?
What happens to the logs that don’t get bridged?
Do I need to exclude each and every logging library from each dependency like this?
<dependency>
<groupId>someGroupId</groupId>
<artifactId>someArtifact</artifactId>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
I know that this question is not very specific. But after doing hours of research, I didn't find an easy solution to this problem. I would like to know how you would approach this problem.
Related
I use Lombok.
Some time ago when building a project, the compiler started issuing the following message:
Found slf4j-api dependency but no providers were found. Did you mean
to add slf4j-simple? See https://www.slf4j.org/codes.html#noProviders
.
If you follow the link, there is a rather vague comment:
This warning, i.e. not an error, message is reported when no SLF4J
providers could be found on the class path. Placing one (and only one)
of slf4j-nop.jar slf4j-simple.jar, slf4j-log4j12.jar, slf4j-jdk14.jar
or logback-classic.jar on the class path should solve the problem.
Note that these providers must target slf4j-api 1.8 or later.
In the absence of a provider, SLF4J will default to a no-operation
(NOP) logger provider.
Please note that slf4j-api version 1.8.x and later use the
ServiceLoader mechanism. Earlier versions relied on the static binder
mechanism which is no longer honored by slf4j-api. Please read the FAQ
entry What has changed in SLF4J version 1.8.0? for further important
details.
If you are responsible for packaging an application and do not care
about logging, then placing slf4j-nop.jar on the class path of your
application will get rid of this warning message. Note that embedded
components such as libraries or frameworks should not declare a
dependency on any SLF4J providers but only depend on slf4j-api. When a
library declares a compile-time dependency on a SLF4J provider, it
imposes that provider on the end-user, thus negating SLF4J's purpose.
I have no idea how to do it correctly. If you have an experience, please, explain me how to do it.
As stated in tutorialspoint :
SLF4J stands for Simple Logging Facade for Java. It provides a simple
abstraction of all the logging frameworks. It enables a user to work
with any of the logging frameworks such as Log4j, Logback, JUL
(java.util.logging), etc. using single dependency.
This means that you have to provide a concrete java logging library on your classpath on top of the dependency for SLF4J itself (Example with Maven):
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-api -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.0.0-alpha0</version>
</dependency>
You will also need to specify the dependency on your preferred logging library. For instance:
For standard jdk1.4 logging :
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-jdk14 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>2.0.0-alpha0</version>
<scope>runtime</scope>
</dependency>
For slf4j-simple logging :
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-simple -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>2.0.0-alpha0</version>
<scope>runtime</scope>
</dependency>
For log4j logging :
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>2.0.0-alpha0</version>
<scope>runtime</scope>
</dependency>
Refer this Page: http://www.slf4j.org/codes.html#noProviders
You may add either of the following dependencies: Placing one (and only one) of slf4j-nop.jar slf4j-simple.jar, slf4j-log4j12.jar, slf4j-jdk14.jar or logback-classic.jar on the class path should solve the problem
I used "slf4j-simple" maven dependency from https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j
This can be due to the version of slf4J API and you are using. try this changing the version like this.
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.25</version>
</dependency>
I'm getting the following error:
Exception in thread "main" java.lang.NoClassDefFoundError:
org/slf4j/LoggerFactory
I need to include slf4j as a dependency but I'm not sure which jar file to download from https://repo1.maven.org/maven2/org/slf4j/.
I tried org/slf4j/slf4j-api which doesn't work. How do I determine which one is correct?
slf4j is a library that is used as an abstraction of each logging implementation framework such as log4j, logback or Jakarta Commons Logging. If your intent is to use it, you have to also define the concrete framework you want to use under the wood, for example for log4j, your pom dependencies will look like this:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.30</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
Depending on the framework you want to use, the dependencies will be a bit different.
This excellent link will give your more details.
SLF4J is a logging API. Combine it with Logback (written by the same people as SLF4J) which implements that logging API:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<scope>runtime</scope>
</dependency>
Find the latest stable versions on mvnrepository.com. Currently logback 1.2.11 and slf4J 1.7.32. Note the the vulnerabilities mentioned on logback 1.2.11 are because of an optional dependency on log4J 1.x (which you don't get automatically, so it's safe to use logback 1.2.11 at the time of writing).
I've started writing a new application in Java 11 and while running the application I got this below error. I read about this issue and looks like it is a case of split package . But I'm not sure how can I fix this issue.
java.lang.module.ResolutionException: Modules slf4j.log4j12 and log4j export package org.apache.log4j to module kubernetes.model.common
I've below dependencies in pom for log4j and slf4j.
log4j
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.26</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.26</version>
</dependency>
log4j2
When I tried to use log4j2 with following dependencies I got different error
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.6</version>
java.lang.module.ResolutionException: Modules log4j.core and log4j.api export package org.apache.logging.log4j to module java.annotation
slf4j-log4j12 contains a class named org.apache.log4j.MDCFriend.
As I recall this is to fix a bug in log4j 1.x that occurred when the version detection pattern was changed in Java 9. Since Log4j 1.x reached the end of life in August 2015 the bug cannot be fixed there so SLF4J introduced this "fix". Unfortunately, using the org.apache.log4j package outside of the log4j jar is forbidden in the Java module system which is what is causing the problem you are seeing.
Also, note that the security bug CVE-2019-17571 has been created for Log4j 1.x. While your application probably won't be vulnerable to the problem it will show up on security scans.
You have a few options:
Create a bug report against SLF4J and hope that it gets fixed.
Create your own fork of slf4j-log4j12 and fix it yourself.
Upgrade from Log4j 1 to Log4j 2 (the solution I would recommend for a new application).
Use an SLF4J implementation other than Log4j 2.
I encounterd the same error, but when I use log4j-core version 2.13.3 ,the error disappears.
My logging dependencies currently look like this:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.9.1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.25</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
</dependency>
I noticed that commons-logging.jar is still in my classpath, for some reason. Should I exclude that or doesn't that cause any issues?
I didn't notice any problems so far, but I'm still wondering if that jar would still cause problems somehow.
There are dependencies that use commons-logging. If it's not present, you'll get NoClassDefFoundErrors when they attempt to log. If there were a possibility to have those not even try to use the dependency, it wouldn't be a problem. However that's not very likely.
However, if they use commons-logging but you're using SLF4J, then there's a problem. They're logging in the wrong place (from your point of view). This is where logging bridges come to work. They implement the public API of different logging frameworks, but redirect the logging to what you're using.
For SLF4J there are several bridges (both ways), so instead of bringing in commons-logging, you bring in jcl-over-slf4j. Libraries will think they're using commons-logging, when they're actually using SLF4J (which then uses an actual logging implementation like Logback).
Easy, huh? ;)
Yes, exclude the commons-logging dependency and add the log4j-jcl bridge instead:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
</dependency>
SLF4J API is also redundant because it is already a transitive dependency of the log4j-slf4j-impl binding.
I am pretty new in Maven and I am following this tutorial to add the Twitter BootStrap CSS framework to a Java web application based on Spring:
<dependency>
<groupId>org.webjars</groupId>
<artifactId>bootstrap</artifactId>
<version>3.2.0</version>
<exclusions>
<exclusion>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
<version>2.1.1</version>
</dependency>
So from what I know it is downloading 2 dependency that are putted into my project. The first one seems related to BootStrap and the second one to JQuery.
And here my first doubt: in the past I always used Maven (I am not so into it) only to download Java dependencies (jar files containing Java classes). What it means the previous code snippet? That can I use Maven also to download and insert other stuff (as BootStrap and JQuery)?
What exaclty means the:
<exclusions>
<exclusion>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
</exclusion>
</exclusions>
into the bootstrap artifact definition?
Tnx
The webjars documentation says:
Using a WebJar requires:
The WebJar needs to be a dependency of your application
The WebJar needs to be in your application's running CLASSPATH
Your container, web framework, or application needs to serve static assets from Jar files
So basically you are loading a Java .jar file that contains resources. How exactly you load those resources and insert them in your web application is up to you. The documentation contains examples how to load webjars with various web frameworks, including Spring.
<exclusions> are used to exclude transitive dependencies from your project in maven. Bootstrap requires jquery, so if you add the bootstrap dependency, it will also load jquery by default. If you don't want the jquery jar (for example if you are already loading it by other means) then you should exclude it. I think the intention in the code example was to change the jquery version. There is no need to use exclusion though because the jquery dependency is explicitly defined anyway and will override the jquery version the defined by bootstrap .