|
2 | 2 |
|
3 | 3 | import java.io.Serializable; |
4 | 4 | import java.util.HashMap; |
5 | | -import java.util.logging.Level; |
6 | 5 |
|
7 | | -import javax.servlet.http.HttpServletRequest; |
8 | | -import javax.servlet.http.HttpSession; |
9 | | - |
10 | | -import org.owasp.esapi.ESAPI; |
11 | 6 | import org.owasp.esapi.LogFactory; |
12 | 7 | import org.owasp.esapi.Logger; |
13 | | -import org.owasp.esapi.User; |
14 | 8 |
|
15 | 9 | /** |
16 | 10 | * Reference implementation of the LogFactory and Logger interfaces. This implementation uses the Java logging package, and marks each |
@@ -70,334 +64,6 @@ public Logger getLogger(String moduleName) { |
70 | 64 | } |
71 | 65 |
|
72 | 66 |
|
73 | | - /** |
74 | | - * A custom logging level defined between Level.SEVERE and Level.WARNING in logger. |
75 | | - */ |
76 | | - public static class JavaLoggerLevel extends Level { |
77 | | - |
78 | | - protected static final long serialVersionUID = 1L; |
79 | | - |
80 | | - /** |
81 | | - * Defines a custom error level below SEVERE but above WARNING since this level isn't defined directly |
82 | | - * by java.util.Logger already. |
83 | | - */ |
84 | | - public static final Level ERROR_LEVEL = new JavaLoggerLevel( "ERROR", Level.SEVERE.intValue() - 1); |
85 | | - |
86 | | - /** |
87 | | - * Constructs an instance of a JavaLoggerLevel which essentially provides a mapping between the name of |
88 | | - * the defined level and its numeric value. |
89 | | - * |
90 | | - * @param name The name of the JavaLoggerLevel |
91 | | - * @param value The associated numeric value |
92 | | - */ |
93 | | - protected JavaLoggerLevel(String name, int value) { |
94 | | - super(name, value); |
95 | | - } |
96 | | - } |
97 | | - |
98 | | - /** |
99 | | - * Reference implementation of the Logger interface. |
100 | | - * |
101 | | - * It implements most of the recommendations defined in the Logger interface description. It does not |
102 | | - * filter out any sensitive data specific to the current application or organization, such as credit |
103 | | - * cards, social security numbers, etc. |
104 | | - * |
105 | | - * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a> |
106 | | - * @since June 1, 2007 |
107 | | - * @see org.owasp.esapi.LogFactory |
108 | | - */ |
109 | | - private static class JavaLogger implements org.owasp.esapi.Logger { |
110 | | - |
111 | | - /** The jlogger object used by this class to log everything. */ |
112 | | - private java.util.logging.Logger jlogger = null; |
113 | | - |
114 | | - /** The module name using this log. */ |
115 | | - private String moduleName = null; |
116 | | - |
117 | | - /** The application name defined in ESAPI.properties */ |
118 | | - private String applicationName=ESAPI.securityConfiguration().getApplicationName(); |
119 | | - |
120 | | - /** Log the application name? */ |
121 | | - private static boolean logAppName = ESAPI.securityConfiguration().getLogApplicationName(); |
122 | | - |
123 | | - /** Log the server ip? */ |
124 | | - private static boolean logServerIP = ESAPI.securityConfiguration().getLogServerIP(); |
125 | | - |
126 | | - /** |
127 | | - * Public constructor should only ever be called via the appropriate LogFactory |
128 | | - * |
129 | | - * @param moduleName the module name |
130 | | - */ |
131 | | - private JavaLogger(String moduleName) { |
132 | | - this.moduleName = moduleName; |
133 | | - this.jlogger = java.util.logging.Logger.getLogger(applicationName + ":" + moduleName); |
134 | | - } |
135 | | - |
136 | | - /** |
137 | | - * {@inheritDoc} |
138 | | - * Note: In this implementation, this change is not persistent, |
139 | | - * meaning that if the application is restarted, the log level will revert to the level defined in the |
140 | | - * ESAPI SecurityConfiguration properties file. |
141 | | - */ |
142 | | - public void setLevel(int level) |
143 | | - { |
144 | | - try { |
145 | | - jlogger.setLevel(convertESAPILeveltoLoggerLevel( level )); |
146 | | - } |
147 | | - catch (IllegalArgumentException e) { |
148 | | - this.error(Logger.SECURITY_FAILURE, "", e); |
149 | | - } |
150 | | - } |
151 | | - |
152 | | - /** |
153 | | - * {@inheritDoc} |
154 | | - * @see org.owasp.esapi.reference.Log4JLogger#getESAPILevel() |
155 | | - */ |
156 | | - public int getESAPILevel() { |
157 | | - return jlogger.getLevel().intValue(); |
158 | | - } |
159 | | - |
160 | | - /** |
161 | | - * Converts the ESAPI logging level (a number) into the levels used by Java's logger. |
162 | | - * @param level The ESAPI to convert. |
163 | | - * @return The Java logging Level that is equivalent. |
164 | | - * @throws IllegalArgumentException if the supplied ESAPI level doesn't make a level that is currently defined. |
165 | | - */ |
166 | | - private static Level convertESAPILeveltoLoggerLevel(int level) |
167 | | - { |
168 | | - switch (level) { |
169 | | - case Logger.OFF: return Level.OFF; |
170 | | - case Logger.FATAL: return Level.SEVERE; |
171 | | - case Logger.ERROR: return JavaLoggerLevel.ERROR_LEVEL; // This is a custom level. |
172 | | - case Logger.WARNING: return Level.WARNING; |
173 | | - case Logger.INFO: return Level.INFO; |
174 | | - case Logger.DEBUG: return Level.FINE; |
175 | | - case Logger.TRACE: return Level.FINEST; |
176 | | - case Logger.ALL: return Level.ALL; |
177 | | - default: { |
178 | | - throw new IllegalArgumentException("Invalid logging level. Value was: " + level); |
179 | | - } |
180 | | - } |
181 | | - } |
182 | | - |
183 | | - /** |
184 | | - * {@inheritDoc} |
185 | | - */ |
186 | | - public void trace(EventType type, String message, Throwable throwable) { |
187 | | - log(Level.FINEST, type, message, throwable); |
188 | | - } |
189 | | - |
190 | | - /** |
191 | | - * {@inheritDoc} |
192 | | - */ |
193 | | - public void trace(EventType type, String message) { |
194 | | - log(Level.FINEST, type, message, null); |
195 | | - } |
196 | | - |
197 | | - /** |
198 | | - * {@inheritDoc} |
199 | | - */ |
200 | | - public void debug(EventType type, String message, Throwable throwable) { |
201 | | - log(Level.FINE, type, message, throwable); |
202 | | - } |
203 | | - |
204 | | - /** |
205 | | - * {@inheritDoc} |
206 | | - */ |
207 | | - public void debug(EventType type, String message) { |
208 | | - log(Level.FINE, type, message, null); |
209 | | - } |
210 | | - |
211 | | - /** |
212 | | - * {@inheritDoc} |
213 | | - */ |
214 | | - public void info(EventType type, String message) { |
215 | | - log(Level.INFO, type, message, null); |
216 | | - } |
217 | | - |
218 | | - /** |
219 | | - * {@inheritDoc} |
220 | | - */ |
221 | | - public void info(EventType type, String message, Throwable throwable) { |
222 | | - log(Level.INFO, type, message, throwable); |
223 | | - } |
224 | | - |
225 | | - /** |
226 | | - * {@inheritDoc} |
227 | | - */ |
228 | | - public void warning(EventType type, String message, Throwable throwable) { |
229 | | - log(Level.WARNING, type, message, throwable); |
230 | | - } |
231 | | - |
232 | | - /** |
233 | | - * {@inheritDoc} |
234 | | - */ |
235 | | - public void warning(EventType type, String message) { |
236 | | - log(Level.WARNING, type, message, null); |
237 | | - } |
| 67 | + |
238 | 68 |
|
239 | | - /** |
240 | | - * {@inheritDoc} |
241 | | - */ |
242 | | - public void error(EventType type, String message, Throwable throwable) { |
243 | | - log(Level.SEVERE, type, message, throwable); |
244 | | - } |
245 | | - |
246 | | - /** |
247 | | - * {@inheritDoc} |
248 | | - */ |
249 | | - public void error(EventType type, String message) { |
250 | | - log(Level.SEVERE, type, message, null); |
251 | | - } |
252 | | - |
253 | | - /** |
254 | | - * {@inheritDoc} |
255 | | - */ |
256 | | - public void fatal(EventType type, String message, Throwable throwable) { |
257 | | - log(Level.SEVERE, type, message, throwable); |
258 | | - } |
259 | | - |
260 | | - /** |
261 | | - * {@inheritDoc} |
262 | | - */ |
263 | | - public void fatal(EventType type, String message) { |
264 | | - log(Level.SEVERE, type, message, null); |
265 | | - } |
266 | | - |
267 | | - /** |
268 | | - * Log the message after optionally encoding any special characters that might be dangerous when viewed |
269 | | - * by an HTML based log viewer. Also encode any carriage returns and line feeds to prevent log |
270 | | - * injection attacks. This logs all the supplied parameters plus the user ID, user's source IP, a logging |
271 | | - * specific session ID, and the current date/time. |
272 | | - * |
273 | | - * It will only log the message if the current logging level is enabled, otherwise it will |
274 | | - * discard the message. |
275 | | - * |
276 | | - * @param level defines the set of recognized logging levels (TRACE, INFO, DEBUG, WARNING, ERROR, FATAL) |
277 | | - * @param type the type of the event (SECURITY SUCCESS, SECURITY FAILURE, EVENT SUCCESS, EVENT FAILURE) |
278 | | - * @param message the message |
279 | | - * @param throwable the throwable |
280 | | - */ |
281 | | - private void log(Level level, EventType type, String message, Throwable throwable) { |
282 | | - |
283 | | - // Check to see if we need to log |
284 | | - if (!jlogger.isLoggable( level )) return; |
285 | | - |
286 | | - // ensure there's something to log |
287 | | - if ( message == null ) { |
288 | | - message = ""; |
289 | | - } |
290 | | - |
291 | | - // ensure no CRLF injection into logs for forging records |
292 | | - String clean = message.replace( '\n', '_' ).replace( '\r', '_' ); |
293 | | - if ( ESAPI.securityConfiguration().getLogEncodingRequired() ) { |
294 | | - clean = ESAPI.encoder().encodeForHTML(message); |
295 | | - if (!message.equals(clean)) { |
296 | | - clean += " (Encoded)"; |
297 | | - } |
298 | | - } |
299 | | - |
300 | | - // log server, port, app name, module name -- server:80/app/module |
301 | | - StringBuilder appInfo = new StringBuilder(); |
302 | | - if ( ESAPI.currentRequest() != null && logServerIP ) { |
303 | | - appInfo.append( ESAPI.currentRequest().getLocalAddr() + ":" + ESAPI.currentRequest().getLocalPort() ); |
304 | | - } |
305 | | - if ( logAppName ) { |
306 | | - appInfo.append( "/" + applicationName ); |
307 | | - } |
308 | | - appInfo.append( "/" + moduleName ); |
309 | | - |
310 | | - //get the type text if it exists |
311 | | - String typeInfo = ""; |
312 | | - if (type != null) { |
313 | | - typeInfo += type + " "; |
314 | | - } |
315 | | - |
316 | | - // log the message |
317 | | - jlogger.log(level, "[" + typeInfo + getUserInfo() + " -> " + appInfo + "] " + clean, throwable); |
318 | | - } |
319 | | - |
320 | | - /** |
321 | | - * {@inheritDoc} |
322 | | - */ |
323 | | - public boolean isDebugEnabled() { |
324 | | - return jlogger.isLoggable(Level.FINE); |
325 | | - } |
326 | | - |
327 | | - /** |
328 | | - * {@inheritDoc} |
329 | | - */ |
330 | | - public boolean isErrorEnabled() { |
331 | | - return jlogger.isLoggable(JavaLoggerLevel.ERROR_LEVEL); |
332 | | - } |
333 | | - |
334 | | - /** |
335 | | - * {@inheritDoc} |
336 | | - */ |
337 | | - public boolean isFatalEnabled() { |
338 | | - return jlogger.isLoggable(Level.SEVERE); |
339 | | - } |
340 | | - |
341 | | - /** |
342 | | - * {@inheritDoc} |
343 | | - */ |
344 | | - public boolean isInfoEnabled() { |
345 | | - return jlogger.isLoggable(Level.INFO); |
346 | | - } |
347 | | - |
348 | | - /** |
349 | | - * {@inheritDoc} |
350 | | - */ |
351 | | - public boolean isTraceEnabled() { |
352 | | - return jlogger.isLoggable(Level.FINEST); |
353 | | - } |
354 | | - |
355 | | - /** |
356 | | - * {@inheritDoc} |
357 | | - */ |
358 | | - public boolean isWarningEnabled() { |
359 | | - return jlogger.isLoggable(Level.WARNING); |
360 | | - } |
361 | | - |
362 | | - public String getUserInfo() { |
363 | | - // create a random session number for the user to represent the user's 'session', if it doesn't exist already |
364 | | - String sid = null; |
365 | | - HttpServletRequest request = ESAPI.httpUtilities().getCurrentRequest(); |
366 | | - if ( request != null ) { |
367 | | - HttpSession session = request.getSession( false ); |
368 | | - if ( session != null ) { |
369 | | - sid = (String)session.getAttribute("ESAPI_SESSION"); |
370 | | - // if there is no session ID for the user yet, we create one and store it in the user's session |
371 | | - if ( sid == null ) { |
372 | | - sid = ""+ ESAPI.randomizer().getRandomInteger(0, 1000000); |
373 | | - session.setAttribute("ESAPI_SESSION", sid); |
374 | | - } |
375 | | - } |
376 | | - } |
377 | | - |
378 | | - // log user information - username:session@ipaddr |
379 | | - User user = ESAPI.authenticator().getCurrentUser(); |
380 | | - String userInfo = ""; |
381 | | - //TODO - Make Type Logging configurable |
382 | | - if ( user != null) { |
383 | | - userInfo += user.getAccountName()+ ":" + sid + "@"+ user.getLastHostAddress(); |
384 | | - } |
385 | | - |
386 | | - return userInfo; |
387 | | - } |
388 | | - |
389 | | - /** |
390 | | - * {@inheritDoc} |
391 | | - */ |
392 | | - public void always(EventType type, String message) { |
393 | | - always(type, message, null); |
394 | | - } |
395 | | - |
396 | | - /** |
397 | | - * {@inheritDoc} |
398 | | - */ |
399 | | - public void always(EventType type, String message, Throwable throwable) { |
400 | | - log(Level.OFF, type, message, throwable); // Seems backward, but this is what works, not Level.ALL |
401 | | - } |
402 | | - } |
403 | 69 | } |
0 commit comments