Is there OWSAP ESAPI logging supported in logback for spring boot application? I did a lot of research but could not find much on this. I found out that org.owasp.esapi now supports this after this PR . But this means that I will have to do away with logback. Is there a way that I can implement OWSAP ESAPI logging using logback? We are using slf4j logger that logback provides.
I looked at logback's maven page and there has not been any major release since 2017. So I am guessing that logback does not supports OWSAP ESAPI logging. Please correct me if I am wrong. If that is the case are there any alternatives I can use?
Also according to this spring-boot does not support slf4j 1.8 and above.If that is the case are there any alternatives I can use?
I found out that org.owasp.esap actually delegates the actual logging to our existing infrastructure. So all I had to do is add the correct package and it automatically takes care of the logging via whatever config I have in logback.
Add the esapi dependency to pom.xml
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.0.0</version>
</dependency>
Add the ESAPI.properties file to src/main/resources/. This file contains the config properties for the ESAPI logger. Since I was using Slf4j looger, I set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in the file.
Now we can use the ESAPI logger for logging which internally will use the Slf4j logger. As the function definition of the ESAPI logger has an extra argument I had to update all the logger functions accordingly.
For me, the solution was:
Add the next code to my pom.xml
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.0.0</version>
</dependency>
Add ESAPI.properties and validation.properties files to src/main/resources/, I took them from this post, of Vaquar Khan answer.
Update the property ESAPI.Logger in the file ESAPI.properties with this code of AshwinSreekumar:
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
I hope it will help you, because in my case, I had to do some extra steps to make it work.
Related
I am using commons-logging which should bridge to Log4J2 in an OSGi environment and so have added the dependencies, export-package and import-package in the pom.xml as below but the logger does not get set to Log4J2 logger. No errors are shown but when debugged I found it being set to JDK14Logger.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.8.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.8.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>2.8.2</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>2.8.2</version>
</dependency>
<Export-Package>
org.apache.logging.log4j.*,
org.apache.commons.logging.*
</Export-Package>
<Import-Package>
!org.apache.logging.log4j.*,
!org.apache.commons.logging.*,
*;resolution:=optional
</Import-Package>
[UPDATE]
From the log4j user mailing list I could figure out that due to the non-modular nature of ServiceLoader. I checked out a few usages of ServiceLoader in the OSGi environment to find implementations of interfaces but still couldn't get how this could be gotten to work.
I tried it using pax logging as well but the result is the same except for that the logger is now being set to JclLogger
As Christian said in the other answer, the best fit for logging in OSGI is the pax-logging bundle.
The Pax-logging is built over SLF4J and can be deployed with different possible implementations:
pax-logging-log4j2 (Log4J2)
pax-logging-logback (Logback)
Before we also used pax-logging-service which was using Log4J version 1 but it is not more recommended as the two other implementations works well.
I personally not tested Logback implementation in OSGI, but Log4j2 is working (with some limitations).
One of the good things with this solution is that you must not import any logging implementation on your bundles, the only things have to you do is:
declare slf4j-api as provided dependency (maven scope)
declare eventually the slf4j-simple as test scope in your maven
You don't need to tweak any of the maven-bundle-plugin options regarding logging of any of your bundles.
Here are the step how to do it in ServiceMix version 7.0.1; this release uses originally the pax-logging-services but the next step shows what need to be changed.
By installing the bundles in the startup.properties (immediately after boot time) you ensure that all libs are loaded in the beginning.
These two replace the older version of pax-logging-api and pax-logging-service replaced by pax-logging-log4j2:
mvn\:org.ops4j.pax.logging/pax-logging-api/1.11.13 = 8
mvn\:org.ops4j.pax.logging/pax-logging-log4j2/1.11.13 = 8
then in the file: org.ops4j.pax.logging.cfg you mentions just the line:
org.ops4j.pax.logging.log4j2.config.file=${karaf.etc}/log4j2.xml
and add your log4j2.xml file in the ${karaf.etc} folder (installation of servicemix/etc).
You have to copy the libs in the ${karaf.home}/system folder.
This is if you just need a standard log file.
Now come the limitations: if you need to generate your log as json document, I was only able to use the deprecated JSONLayout in the log4j2.xml.
For setting up JSONLayout you can follow my other answer.
In short:
Add the three Jackson dependencies in startup.properties:
mvn\:com.fasterxml.jackson.core/jackson-annotations/2.12.4 = 6
mvn\:com.fasterxml.jackson.core/jackson-core/2.12.4 = 6
mvn\:com.fasterxml.jackson.core/jackson-databind/2.12.4 = 6
and also the pax-logging-log4j2-extra (if you're using log4j2 implementation):
mvn\:org.ops4j.pax.logging/pax-logging-log4j2-extra/1.11.13 = 6
On my version I had to add the three following lines in overrides.properties:
mvn:com.fasterxml.jackson.core/jackson-core/2.12.4;range="[2,3)"
mvn:com.fasterxml.jackson.core/jackson-databind/2.12.4;range="[2,3)"
mvn:com.fasterxml.jackson.core/jackson-annotations/2.12.4;range="[2,3)"
I created a simple docker-compose with a servicemix 7.0.1 on github with the two ways of creating json logs (the new JsonTemplateLayout not working at the moment).
If the above is in your user bundle then this is not correct.
In your user bundle you should simply use the commons logging API and not change the settings of the maven bundle plugin.
It will then create Import-Package statements for the commons logging API but not for log4j which is what you want.
You then should install a suitable logging framework at runtime. I know that pax-logging can handle commons logging in a OSGi compatible way. Maybe plain log4j2 also works but I am not sure.
I have a third party library (elasticsearch 5.x) which uses log4j2. My application uses slf4j. Is there an adapter for version 2 of log4j, similar to the version 1 adapter (log4j-over-slf4j)?
Just to clarify: I don't want to actually use log4j or log4j2 as the actual implementation (binding). I use logback for that. So I need a log4j2 to slf4j adapter, not an slf4j binding.
I should also mention that I have found and tried this library (in 2.0-beta version):
https://logging.apache.org/log4j/2.0/log4j-to-slf4j/index.html
but it gives me this error:
Caused by: java.lang.AbstractMethodError: org.apache.logging.slf4j.SLF4JLoggerContextFactory.getContext(Ljava/lang/String;Ljava/lang/ClassLoader;Ljava/lang/Object;Z)Lorg/apache/logging/log4j/spi/LoggerContext;
at org.apache.logging.log4j.LogManager.getContext(LogManager.java:175)
at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:426)
at org.elasticsearch.common.logging.ESLoggerFactory.getLogger(ESLoggerFactory.java:49)
at org.elasticsearch.common.logging.Loggers.getLogger(Loggers.java:105)
at org.elasticsearch.common.logging.Loggers.getLogger(Loggers.java:72)
at org.elasticsearch.common.component.AbstractComponent.<init>(AbstractComponent.java:37)
at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:98)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:99)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:124)
at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:258)
at org.elasticsearch.transport.client.PreBuiltTransportClient.<init>(PreBuiltTransportClient.java:125)
at org.elasticsearch.transport.client.PreBuiltTransportClient.<init>(PreBuiltTransportClient.java:111)
at org.elasticsearch.transport.client.PreBuiltTransportClient.<init>(PreBuiltTransportClient.java:101)
EDIT: Ok.. so I guess I was just blind yesterday and I was only seeing the beta version of this library. Therefore the answer is that there is such as adapter and it is here:
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-to-slf4j https://logging.apache.org/log4j/2.0/log4j-to-slf4j/index.html
The latest version currently is 2.8.2
You should include log4j-to-slf4j-2.x.jar
and ensure to NOT include log4j-slf4j-impl-2.x.jar.
See Log4j to SLF4J Adapter for more details.
Log4j2 itself bundles a slf4j implementation (log4j-slf4j-impl-2.x.jar)
This is one of the jars in the Log4j2 distribution.
Update after the question was clarified:
Log4j2 includes a log4j-to-slf4j bridge “. This is what you need to route Log4j2 logging to another slf4j implementation.
The error mentioned is likely a problem of incompatible versions but the question doesn't mention version numbers so it's hard to say.
From https://logging.apache.org/log4j/2.0/faq.html
You can use the log4j-to-slf4j adapter jar when your application calls the Log4j 2 API and you want to route logging calls to a SLF4J implementation.
Slf4j project does not provide bridge from log4j v2 to Slf4j (it hasn't been mentioned in https://www.slf4j.org/legacy.html).
Maven dependencies:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>2.11.0</version>
</dependency>
Gradle dependency:
compile "org.apache.logging.log4j:log4j-to-slf4j:2.10.0"
Note that above package has transitive dependency on:
org.slf4j:slf4j-api:1.7.25
org.apache.logging.log4j:log4j-api:2.10.0
List of packages: https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-to-slf4j
We use ivy to manage a multi project java application, and recently this error started showing up when we do builds. What's causing this?
This was fixed by adding the following line to the end of the dependencies section in ivy.xml:
<dependencies>
<exclude module="log4j-over-slf4j" />
</dependencies>
Why was it an issue?
Looks like the log4j bridge for sjf4j has an incomplete implementation
This url explains it in more detail.
It looks like the log4j bridge does not implement the full interface for log4j . If you are still using direct log4j calls, you will need both the slf4j bridge jar and the log4j jar
In your case it looks like you excluded the bridge jar, so all slf4j calls go directly to log4j instead of the bridge.
If your code invokes log4j through the xml file , this will work. However if your code programatically invokes log4j initialization this bridge is not going to work
I know this is a very old question but I wanted to share what worked out fine for me. If you have different artifacts of slf4j-log4j* for two projects that are interdependent on each other, for example spring data jpa and spring MVC, this happens. Keep it consistent or even better have a parent pom. In my case I had slf4j-log4j12 on my spring data jpa project and slf4j-log4j13 on my spring MVC one.
Comment this dependency from the pom.xml
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j13</artifactId>
<version>
</dependency>
And add (or keep) the following one:
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.12</version>
</dependency>
Wherever you see a compile time error regarding Log4j, add the following import:
import org.apache.log4j.Logger;
Can anyone tell me the difference between slf4j-log4j and log4j-over-slf4j? Which is more standard to use in a Java web application? I currently have both on the classpath and that is causing a runtime exception as the web server is trying to prevent a StackOverFlowException from happening.
Exception:
java.lang.IllegalStateException:
Detected both log4j-over-slf4j.jar AND slf4j-log4j12.jar on the class path
slf4j-log4j is using log4j as an implementation of slf4j.
log4j-over-slf4j causes calls to the log4j API to be 'routed' to slf4j.
You cannot use both of these JAR's at the same time.
Both are valid libraries to use and are equally 'standard', it depends on the project.
In general, if your project is using log4j already and you don't have the ability to update all of your log4j Loggers to slf4j Loggers; log4j-over-slf4j is a quick fix to be able to start using slf4j immediately.
However, if your project is new or does not have an existing logging mechanism and you choose to use slf4j, slf4j-log4j would be the way to go as it is just specifying slf4j should be bound to log4j.
That being said, I agree with c12's comment. Stop using log4j and instead use slf4j and logback.
in my project , org.slf4j.impl.Log4jLoggerFactory is in
activemq-all-5.7.0.jar
not in slf4j-log4j12.jar
the exception message mislead me
I downloaded a big framework which I need to built from source. The project uses a maven build structure, and includes a demo application which can be viewed with an embedded jetty. Maven plugins handle all this stuff.
However when I run the demo application (with mvn jetty:run), I can't really use it because for some reason logging on the DEBUG level is turned on and the application spends most of its time logging a lot of statements. Responsiveness is reduced to almost nothing.
The framework (geomajas 1.5.0) seems to use SLF4J, but I can't figure out where it is configured or where it can be turned off.
Any ideas welcome... thanks!
Update:
Apparently they use logback. I found the configuration file (logback.xml), in which I edited out the DEBUG levels and replaced them with ERROR
To make sure the changes would propagate, I cleaned the project and rebuilt it. But the issue remains!
I manually looked at the logback.xml files in the target folder, and they've updated. But I still see the log records!
Update 2
I'm on Windows 7 btw.
The simplest and most straight forward way to disable logging would be indeed to use the NOP binding. To do so, edit geomajas/geomajas-dojo-example/pom.xml and change the logging dependencies into:
<!-- logging dependencies, delegate all to slf4j and use logback -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.5.8</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.5.8</version>
</dependency>
And run mvn jetty:run.
looking at this slf4j manual/overview http://www.slf4j.org/manual.html it looks like you could turn off all logging by using the slf4j NOP jar (slf4j-nop-1.5.10.jar). So you'd probably need to find and replace the current slf4j implementation jar in your projects WEB-INF/lib folder with the NOP jar.
Though most likely it's using a log4j implementation, if that's the case you'd need to find the log4j.xml or log4j.properties and edit/remove them. They could be tricky to find though - first look in WEB-INF/classes and then in some sort of config directory would be a good start.
EDIT {
A bit ugly but if you just want to get it up and running as fast as possible you could redirect stdout and stderr to /dev/null which should make it a bit faster as it won't be writing to disk or console:
mvn jetty:run > dev/null 2>&1
}
HTH
Try to find out a log4j configuration (if it is used for logging) - that might be log4j.xml (or log4j.properties) file. If you remove this file from classpath there will be no logging at all. If you want to reduce level of logs try to comment out some logger sections in this file, like e.g.
<!--<logger name="org.hibernate">
<level value="debug"/>
<appender-ref ref="hibernate-file"/>
</logger>-->
For this example there will be no logs for classes from org.hibernate package.
Geomajas uses logback for the sample applications. You can configure the logging using the logback.xml file in src/main/resources.
Switching everything off can be done using a config file like:
<configuration>
<root>
<level value="OFF"/>
</root>
</configuration>
Kind regards,
Joachim