Skip to content

Latest commit

 

History

History
executable file
·
58 lines (38 loc) · 2.91 KB

README.md

File metadata and controls

executable file
·
58 lines (38 loc) · 2.91 KB
Raw

DwpEncodedLogger

Build Status Known Vulnerabilities

This is a simple project that provides DWPs Health PDU standard Java Logger implementations for standard Java Logging Libraries

This project was originally created to mitigate the Heap_Inspection vulnerability :-

The application writes audit logs upon security-sensitive actions. Since the audit log includes user input that is neither checked for data type validity nor subsequently sanitized, the input could contain false information made to look like legitimate audit log data

Breaking Change with Java17

A breaking change is introduced with version 3.0.0 which is Java 17 upgrade.

Jakarta EE 9 a new top-level jakarta package, replacing EE 8’s javax top-level package. For example, the Servlet specification in Jakarta EE 8 uses a javax.servlet package but this has changed to jakarta.servlet in EE 9.

Generally speaking, it’s not possible to mix Java EE and Jakarta EE APIs in the same project. You need to ensure that your own code, as well as all third-party libraries are using jakarta.* package imports.

Implementations

There are implementations for LogBack and Log4j2

The library assumes that the desired logging implementation is provided on the class path. The default log level is INFO.

Project inclusion

properties entry in pom

<properties>
    <dwp.encoded_logger>x.x</dwp.encoded_logger>
</properties>

dependency reference

<dependency>
    <groupId>uk.gov.dwp.logging</groupId>
    <artifactId>encoded-logger-output</artifactId>
    <version>${dwp.encoded_logger}</version>
</dependency>

and include the relevant logging system Logback or Log4j2

Configuration

Logback

The default configuration provided by this package assumes that there is an application.yml file in the root of the classpath that contains -- at least -- app_name and app_version attributes that are set to the specific values.

Log4j2

The default configuration provided by this package assumes that there are two system properties app_name and app_version set the relevant values. How these are set is up the specific application.

** WINDOWS USERS **

This test suite uses a file to match the logging output against the expected values. The default file encoding for windows command-line is not UTF8 and (as such) will cause characters like the pound sign to be interpreted differently to that of the logger's character set. In order to enforce UTF8 encoding please set the following environment variable

JAVA_TOOL_OPTIONS=-Dfile.encoding=UTF8