更改 OWasp CSRFGuard 的日志记录级别
Changing Logging Level of OWasp CSRFGuard
我已经在我的 Java 应用程序中成功安装了 OWasp CSRFGuard。
我的 CSRFGuard.Properties 文件包含以下内容:
# Logger
#
# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of
# the object responsible for processing all log messages produced by CSRFGuard. The default
# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
# to System.out which JavaEE application servers redirect to a vendor specific log file.
# Developers can customize the logging behavior of CSRFGuard by implementing the
# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new
# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
# to capture all log messages to the console:
#
# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
中看到不同的日志记录级别
LOGGER.log(Level.FINEST, exception.getLocalizedMessage(), exception);
break;
case Debug:
LOGGER.log(Level.FINE, exception.getLocalizedMessage(), exception);
break;
case Info:
LOGGER.log(Level.INFO, exception.getLocalizedMessage(), exception);
break;
case Warning:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Error:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Fatal:
LOGGER.log(Level.SEVERE
如何更改 CSRFGuard.Properties 中的日志记录级别以仅显示 Level.WARNING
目前,每个请求都会被分析和记录。
INFO: CsrfGuard analyzing request example.com/examplepage.jsp
替换CSRFGuard.Properties中的以下行
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
和
org.owasp.csrfguard.Logger=com.myPackage.MyLogger
并添加一个新的 class 如下(基于 this code),在 MyLogger() 构造函数中设置您需要的日志级别(在下面的示例中我设置了最低日志级别至 Level.WARNING)
package com.myPackage
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.csrfguard.log.LogLevel;
public class MyLogger implements org.owasp.csrfguard.log.ILogger {
private static final long serialVersionUID = 1L;
private final static Logger LOGGER = Logger.getLogger("Owasp.CsrfGuard");
public MyLogger() {
LOGGER.setLevel(Level.WARNING);
}
@Override
public void log(String msg) {
LOGGER.info(msg.replaceAll("(\r|\n)", ""));
}
@Override
public void log(LogLevel level, String msg) {
// Remove CR and LF characters to prevent CRLF injection
String sanitizedMsg = msg.replaceAll("(\r|\n)", "");
switch(level) {
case Trace:
LOGGER.finest(sanitizedMsg);
break;
case Debug:
LOGGER.fine(sanitizedMsg);
break;
case Info:
LOGGER.info(sanitizedMsg);
break;
case Warning:
LOGGER.warning(sanitizedMsg);
break;
case Error:
LOGGER.warning(sanitizedMsg);
break;
case Fatal:
LOGGER.severe(sanitizedMsg);
break;
default:
throw new RuntimeException("unsupported log level " + level);
}
}
@Override
public void log(Exception exception) {
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
}
@Override
public void log(LogLevel level, Exception exception) {
switch(level) {
case Trace:
LOGGER.log(Level.FINEST, exception.getLocalizedMessage(), exception);
break;
case Debug:
LOGGER.log(Level.FINE, exception.getLocalizedMessage(), exception);
break;
case Info:
LOGGER.log(Level.INFO, exception.getLocalizedMessage(), exception);
break;
case Warning:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Error:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Fatal:
LOGGER.log(Level.SEVERE, exception.getLocalizedMessage(), exception);
break;
default:
throw new RuntimeException("unsupported log level " + level);
}
}
}
我已经在我的 Java 应用程序中成功安装了 OWasp CSRFGuard。
我的 CSRFGuard.Properties 文件包含以下内容:
# Logger
#
# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of
# the object responsible for processing all log messages produced by CSRFGuard. The default
# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
# to System.out which JavaEE application servers redirect to a vendor specific log file.
# Developers can customize the logging behavior of CSRFGuard by implementing the
# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new
# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
# to capture all log messages to the console:
#
# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
LOGGER.log(Level.FINEST, exception.getLocalizedMessage(), exception);
break;
case Debug:
LOGGER.log(Level.FINE, exception.getLocalizedMessage(), exception);
break;
case Info:
LOGGER.log(Level.INFO, exception.getLocalizedMessage(), exception);
break;
case Warning:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Error:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Fatal:
LOGGER.log(Level.SEVERE
如何更改 CSRFGuard.Properties 中的日志记录级别以仅显示 Level.WARNING
目前,每个请求都会被分析和记录。
INFO: CsrfGuard analyzing request example.com/examplepage.jsp
替换CSRFGuard.Properties中的以下行
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
和
org.owasp.csrfguard.Logger=com.myPackage.MyLogger
并添加一个新的 class 如下(基于 this code),在 MyLogger() 构造函数中设置您需要的日志级别(在下面的示例中我设置了最低日志级别至 Level.WARNING)
package com.myPackage
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.csrfguard.log.LogLevel;
public class MyLogger implements org.owasp.csrfguard.log.ILogger {
private static final long serialVersionUID = 1L;
private final static Logger LOGGER = Logger.getLogger("Owasp.CsrfGuard");
public MyLogger() {
LOGGER.setLevel(Level.WARNING);
}
@Override
public void log(String msg) {
LOGGER.info(msg.replaceAll("(\r|\n)", ""));
}
@Override
public void log(LogLevel level, String msg) {
// Remove CR and LF characters to prevent CRLF injection
String sanitizedMsg = msg.replaceAll("(\r|\n)", "");
switch(level) {
case Trace:
LOGGER.finest(sanitizedMsg);
break;
case Debug:
LOGGER.fine(sanitizedMsg);
break;
case Info:
LOGGER.info(sanitizedMsg);
break;
case Warning:
LOGGER.warning(sanitizedMsg);
break;
case Error:
LOGGER.warning(sanitizedMsg);
break;
case Fatal:
LOGGER.severe(sanitizedMsg);
break;
default:
throw new RuntimeException("unsupported log level " + level);
}
}
@Override
public void log(Exception exception) {
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
}
@Override
public void log(LogLevel level, Exception exception) {
switch(level) {
case Trace:
LOGGER.log(Level.FINEST, exception.getLocalizedMessage(), exception);
break;
case Debug:
LOGGER.log(Level.FINE, exception.getLocalizedMessage(), exception);
break;
case Info:
LOGGER.log(Level.INFO, exception.getLocalizedMessage(), exception);
break;
case Warning:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Error:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Fatal:
LOGGER.log(Level.SEVERE, exception.getLocalizedMessage(), exception);
break;
default:
throw new RuntimeException("unsupported log level " + level);
}
}
}