Summary

In JDK 23, JDK-8051959 introduced an option to add thread and timestamp data to the debug java.security.debug system property. This CSR proposes to make changes to emit that data always and remove the +thread and +timestamp options which were used to control the logging behavior.

Problem

By default, the thread and timestamp data remains off in the java.security.debug output. To enhance the security debug logs, the thread and timestamp data should always be present. This brings it to a par with another important security debug system property, the TLS debug property: javax.net.debug. Output from TLS javax.net.debug logs always contains thread and timestamp data.

Solution

Remove the +thread and +timestamp support code and print thread and timestamp data by default. This enancement is only proposed for the JDK feature release. Update releases can continue to opt into such data.

Debug output data from use of the java.security.debug property will now resemble something like the following:

properties[0x10|main|Security.java:122|2025-05-01 14:59:42.859 UTC]: Initial security property: package.definition=sun.misc.,sun.reflect.
properties[0x10|main|Security.java:122|2025-05-01 14:59:42.859 UTC]: Initial security property: krb5.kdc.bad.policy=tryLast

Specification

Each debug output statement generated via java.security.debug is now formatted as:

componentValue[threadId|threadName|sourceCodeLocation|timestamp]:

where:

* componentValue is the security component value being logged.
* threadId is the hexadecimal value of the thread ID.
* threadName is the name of the thread executing the log statement.
* sourceCodeLocation is the source file and line number making this log call, in the format filename:lineNumber.
* timestamp is the date and time in the format "yyyy-MM-dd kk:mm:ss.SSS z"
* <debug statement> corresponds to the debug output from security component.

src/java.base/share/classes/java/security/doc-files/debug-system-property.html will be modified according to following diff patch:

--- a/src/java.base/share/classes/java/security/doc-files/debug-system-property.html
+++ b/src/java.base/share/classes/java/security/doc-files/debug-system-property.html
@@ -52,24 +52,10 @@ <h1><B>{@systemProperty java.security.debug}</B></h1>
 <p> To monitor security access, you can set the <code>java.security.debug</code>
     system property, which determines what trace messages are printed during
     execution. The value of the property is one or more options separated by a
-    comma.
+    comma. Each trace message includes the thread id, caller information, and
+    timestamp.
 </p>

-<h2>Printing Thread and Timestamp Information</h2>
-<p>
-    You can append the following strings to any option specified in the
-    <code>java.security.debug</code> system property to print additional
-    information:
-<ul>
-    <li><code>+thread</code>: Print thread and caller information</li>
-    <li><code>+timestamp</code>: Print timestamp information</li>
-</ul>
-<p>
-    For example, to add thread, caller, and timestamp information to all
-    debugging output, set the <code>java.security.debug</code> system property
-    on the command line as follows:
<h2>-    <pre><code>java -Djava.security.debug=all+thread+timestamp MyApp</code></pre></h2>

 <p>The following table lists the <code>java.security.debug</code> options:</p>

• The system property javadoc document, recently introduced via JDK-8328914, is updated to remove mention of the +thread and +timestamp options.
• Update the java.security.debug help output to remove mention of the +thread and +timestamp options
• A release note will accompany this change.
• Continued use of the +thread and +timestamp options will no longer have impact. The thread and timestamp data is always printed and valid security components used in the java.security.debug property will continue to be logged.