XDS Toolkit Server Logging Configuration
NIST XDS Toolkit Releases prior to 7.7.1 used Apache Log4j 1.x based logging framework, which was affected by CVE-2019-17571.
Apache Log4j2 or 2.x based Java was not used in XDS Toolkit so the more recent CVE-2021-44228 is not applicable.
In XDS Toolkit 7.7.1, Apache Log4j 1.x was replaced with Java Util Logging except the transitive dependency required by XDS-I support dependency dcm4che Java library through the slf4j-log4j12 Java Library. Based on the instructions to patch the log4j library in the SLF4J Page, the /org/apache/log4j/net/* package classes were removed. In the build-release.sh script, patch-log4j.sh is called to remove these classes from the JAR file that goes in the release distribution. The resulting JAR file is named log4j-1.2.17-patched.jar in the WEB-INF/lib directory.
The following logging levels were previously used in the Toolkit source code.
DEBUG, INFO, WARN, ERROR, FATAL.
See Java LogManager.
Java Logging offers the following levels:
ALL, TRACE, FINEST, FINER, FINE, CONFIG, INFO, WARNING, SEVERE, and OFF.
With Java Logging, previous Log4j Logger method calls across the entire Toolkit source code were changed to the following Java Logging Levels:
| Apache Log4j 1x | Java Logging |
|---|---|
| debug | fine, finer |
| info | info |
| warn | warning |
| error | severe |
| fatal | severe |
In the expanded contents of the XDS Toolkit web application, the logging properties can be configured through the xdstools/WEB-INF/classes/logging.properties file. In the source code, this file is located in iheos-toolkit/xdstools2/src/main/resources/logging.properties. A copy of this file can be viewed here.
If XDS Toolkit is running in Tomcat, logging.properties from the web application classpath is automatically loaded. Changes can be made to this file but the web application needs to be restarted for the logging parameters to take effect.
If XDS Toolkit is not running Tomcat, the Logging Properties Java System Property java.util.logging.config.file must be set to the absolute file path leading to the loggging.properties in the web application classpath.
Contents of the Java Logging logging.properties file can be viewed from the XDS Toolkit Toolkit Configuration user interface. Although there is no sensitive information in the logging.properties, the unadvertised link is only available through the Toolkit Configuration admin user tool link menu.
Toolkit
Downloads
Installing Toolkit
Configuring Toolkit for Imaging Tests
Reporting Toolkit Installation Problems
Environment
Test Session
Conformance Test Tool
Writing Conformance Tests
Overview of Imaging Tests
Test Context Definition
Launching Conformance Tool from Gazelle
Inspector
External Cache
Support Tools
Test Organization
Configuring Test Kits
Managing Multiple Test Kits
SAML Validation against Gazelle
Renaming Toolkit
Toolkit API
Managing system configurations
Configuring Toolkit for Connectathon
Developer's blog