-
CSR
-
Resolution: Approved
-
P4
-
None
-
behavioral
-
minimal
-
The format of debug logs is always subject to change. Not aware of any tooling that needs java.security.debug to follow a particular pattern.
-
System or security property
-
JDK
Summary
In JDK 23, JDK-8051959 introduced an option to add thread and timestamp data to the debug java.security.debug
system property. This CSR proposes to make changes to emit that data always and remove the +thread
and +timestamp
options which were used to control the logging behavior.
Problem
By default, the thread
and timestamp
data remains off in the java.security.debug
output. To enhance the security debug logs, the thread and timestamp data should always be present. This brings it to a par with another important security debug system property, the TLS debug property: javax.net.debug. Output from TLS javax.net.debug
logs always contains thread and timestamp data.
Solution
Remove the +thread
and +timestamp
support code and print thread and timestamp data by default. This enancement is only proposed for the JDK feature release. Update releases can continue to opt into such data.
Debug output data from use of the java.security.debug
property will now resemble something like the following:
properties[0x10|main|Security.java:122|2025-05-01 14:59:42.859 UTC]: Initial security property: package.definition=sun.misc.,sun.reflect.
properties[0x10|main|Security.java:122|2025-05-01 14:59:42.859 UTC]: Initial security property: krb5.kdc.bad.policy=tryLast
Specification
Each debug output statement generated via java.security.debug
is now formatted as:
componentValue[threadId|threadName|sourceCodeLocation|timestamp]:
where:
* componentValue is the security component value being logged.
* threadId is the hexadecimal value of the thread ID.
* threadName is the name of the thread executing the log statement.
* sourceCodeLocation is the source file and line number making this log call, in the format filename:lineNumber.
* timestamp is the date and time in the format "yyyy-MM-dd kk:mm:ss.SSS z"
* <debug statement> corresponds to the debug output from security component.
src/java.base/share/classes/java/security/doc-files/debug-system-property.html will be modified according to following diff patch:
--- a/src/java.base/share/classes/java/security/doc-files/debug-system-property.html
+++ b/src/java.base/share/classes/java/security/doc-files/debug-system-property.html
@@ -52,24 +52,10 @@ <h1><B>{@systemProperty java.security.debug}</B></h1>
<p> To monitor security access, you can set the <code>java.security.debug</code>
system property, which determines what trace messages are printed during
execution. The value of the property is one or more options separated by a
- comma.
+ comma. Each trace message includes the thread id, caller information, and
+ timestamp.
</p>
-<h2>Printing Thread and Timestamp Information</h2>
-<p>
- You can append the following strings to any option specified in the
- <code>java.security.debug</code> system property to print additional
- information:
-<ul>
- <li><code>+thread</code>: Print thread and caller information</li>
- <li><code>+timestamp</code>: Print timestamp information</li>
-</ul>
-<p>
- For example, to add thread, caller, and timestamp information to all
- debugging output, set the <code>java.security.debug</code> system property
- on the command line as follows:
<h2>- <pre><code>java -Djava.security.debug=all+thread+timestamp MyApp</code></pre></h2>
<p>The following table lists the <code>java.security.debug</code> options:</p>
- The system property javadoc document, recently introduced via JDK-8328914, is updated to remove mention of the
+thread
and+timestamp
options. - Update the
java.security.debug
help output to remove mention of the+thread
and+timestamp
options - A release note will accompany this change.
- Continued use of the
+thread
and+timestamp
options will no longer have impact. The thread and timestamp data is always printed and valid security components used in thejava.security.debug
property will continue to be logged.
- csr of
-
JDK-8350689 Turn on timestamp and thread metadata by default for java.security.debug
-
- Resolved
-