java.util.logging

java.util.logging

与其他的⽇志不同,Java.util.logging的⽇志级别为 SEVERE ( 严重 ) ,  WARNING (警告),  INFO  (信息), CONFIG (配置), FINE (详 细),  FINER (较详细), FINEST ( ⾮常详细 )  等。

 

  与 log4j2 相⽐, Java.util.logging 适⽤于⼩型系统, 当⽇志量过⼤时性能有待提升,并发性能不够。不过好在 Java.util.logging 是原⽣的 JDK 类集,⽆需引⼊ maven 新包,尽管⽐不上 logback, log4j2,  但也有它⾃⼰的优势。

 

重要的类有 Logger 类(记录器)和 Handler 类(处理器),⼆者分别完成以下功能:                     

(1)Logger: ⽇志记录器,实现 记录⽇志,设置⽇志级别等功能。                     

(2)Handler: ⽇志处理器,属于接⼝对象,决定⽇志的输出⽅式等。  

       

其他的⽐较重要的类还有:

Level :⽇志的记录级别 Filter  ⽇志过滤器,接⼝,在⽇志被 Handler 处理之前,起过滤作⽤

LoggerManager:   ⽇志管理器

Formatter:    ⽇志格式化转换器,接⼝对象,决定⽇志的输出格式

 
IntelliJ Platform移除log4j
As you no doubt know, several major vulnerabilities have been recently discovered in the version 2 of the log4j library. As we have previously announced, the IDEs based on the IntelliJ Platform are not affected by this vulnerability, because they use a patched version of log4j 1.2 with all network-related code removed. Versions 1 and 2 of the log4j library are two completely different codebases with incompatible APIs, and migrating from one to the other is a non-trivial endeavor with unclear benefits. Despite that, some automated security tools still flag our use of an “old” version of log4j as a security issue.

At the same time, our requirements for a logging framework are fairly minimal; the only features we need are logging to files and the console, as well as the possibility to configure log levels for different parts of the codebase. All of these requirements are covered by the standard logging API available as part of the JDK (java.util.logging), and in order to avoid false security alerts and reduce potential attack surface, we’ve decided to stop using log4j altogether and to switch to java.util.logging as the standard logging framework. The change will be released in version 2022.1.

Since log4j is used (directly or indirectly) by a large number of third-party plugins, we’re going to ship a stub implementation of the log4j APIs redirecting the log output to java.util.logging, taken from the SLF4J project. However, the stub does not completely implement all methods, so in order to maintain full functionality of your plugins, you may need to adapt your code to the new environment.

Please check whether your code or your dependencies use log4j, and follow these instructions to update your code:

If you use log4j in your own plugin code: Switch to using the standard platform logging API, com.intellij.openapi.diagnostic.Logger
If you use log4j in your own code that is used both in a plugin and in other contexts: Switch to using SLF4J APIs. The IntelliJ Platform ships with an implementation of the SLF4J APIs over java.util.logging, so SLF4J logging is fully supported in the platform.
If log4j is used in a dependency of your code: Request the dependency maintainer to switch to SLF4J. If that is not possible, logging from the dependency will most likely continue working thanks to the log4j to SLF4J bridge.
If you use the log4j APIs to customize the logging of your dependency that uses SLF4J: Switch to using the java.util.logging APIs for configuring handlers and log levels.
If you use log4j XML files to configure logging in your tests: Switch to the configuration using .properties files as described in the LogManager documentation. When running tests using the IntelliJ test framework, the path to the logging properties file can be passed using the system property.idea.log.config.properties.file
The changes are included in the 221.4165.x EAP builds that will be released this week. Please use those builds for testing the compatibility of your plugins with the platform changes.



毫无疑问,最近在 log4j 库的第 2 版中发现了几个主要漏洞。正如我们之前宣布的那样,基于 IntelliJ 平台的 IDE 不受此漏洞的影响,因为它们使用了 log4j 1.2 的修补版本,并删除了所有与网络相关的代码。log4j 库的版本 12 是两个完全不同的代码库,具有不兼容的 API,从一个版本迁移到另一个版本是一项艰巨的任务,其好处尚不清楚。尽管如此,一些自动化安全工具仍然将我们使用“旧”版本的 log4j 标记为安全问题。

同时,我们对日志记录框架的要求相当低;我们唯一需要的功能是记录到文件和控制台,以及为代码库的不同部分配置日志级别的可能性。所有这些要求都包含在作为 JDK 的一部分提供的标准日志记录 API (java.util.logging) 中,为了避免错误的安全警报并减少潜在的攻击面,我们决定完全停止使用 log4j,并切换到 java.util.logging 作为标准日志记录框架。此更改将在版本 2022.1 中发布。

由于 log4j 被大量第三方插件(直接或间接)使用,我们将提供 log4j API 的存根实现,将日志输出重定向到 java.util.logging,取自 SLF4J 项目。但是,存根并没有完全实现所有方法,因此为了保持插件的全部功能,您可能需要调整代码以适应新环境。

请检查您的代码或依赖项是否使用 log4j,并按照以下说明更新您的代码:

如果您在自己的插件代码中使用 log4j:切换到使用标准平台日志记录 API,com.intellij.openapi.diagnostic.Logger
如果您在自己的代码中使用 log4j,该代码在插件和其他上下文中使用:请切换到使用 SLF4J API。IntelliJ 平台附带了基于 java.util.logging 的 SLF4J API 实现,因此平台完全支持 SLF4J 日志记录。
如果在代码的依赖项中使用了 log4j:请求依赖项维护者切换到 SLF4J。如果这是不可能的,由于 log4j 到 SLF4J 的桥接,依赖项的日志记录很可能会继续工作。
如果使用 log4j API 自定义使用 SLF4J 的依赖项的日志记录:请切换到使用 java.util.logging API 来配置处理程序和日志级别。
如果使用 log4j XML 文件在测试中配置日志记录:请使用 .properties 文件切换到配置,如 LogManager 文档中所述。使用 IntelliJ 测试框架运行测试时,可以使用系统属性传递日志记录属性文件的路径。idea.log.config.properties.file
这些更改包含在将于本周发布的 221.4165.x EAP 版本中。请使用这些版本来测试您的插件与平台更改的兼容性。

 

posted @ 2024-01-07 14:25  lightbc  阅读(32)  评论(0编辑  收藏  举报