在java产品中记录源类名和方法名可以吗?
我目前正在为一些网络监控工具开发一个java应用程序。在我的代码中,我应该经常使用日志记录。由于它是一个网络管理软件,日志中的信息对用户来说非常有用,因此必须使用它们。但现在我有点困惑我应该选择哪种记录器方法。现在我正在使用 Logger.lop(...//...) ,因为在它的帮助下,我们还记录了类名和方法,因此对我(开发人员)来说调试变得非常容易代码并找到错误。但最后我很困惑我是否应该使用相同的日志机制将其交付给最终用户???让你的用户知道当前正在执行什么类型的类,哪个方法发生了错误,这有什么坏处吗?我在许多产品中多次看到异常处理中使用了堆栈跟踪,因此通常我们也会获取类名。那么让最终用户知道你的类名和方法是什么没有问题吗?
i am currently working on a java application for some network monitoring tool. In my code i am supposed to use logging a lot. Since its a network management software, the information in logs is quite useful to the user hence its compulsory to use them. But now I am bit confused with what kind of logger method i should prefer. Right now i am using Logger.lop(...//...)
since with its help we are also logging the class name and method so its becoming very easy for me (developers) to debug the code and find the error. But finally I am confused should i deliver it to the end user with the same logging mechanism??? Is it any harm to let your user know what kind of class is executing currently , in which method error has occured. I have seen many times in many product in exception handling stacktrace is used so normally we get class name as well. So is there is no problem to let enduser know what your class name and method is??
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在考虑其安全影响之前,请考虑性能。在大多数日志记录系统中,通过日志记录工具动态获取实际的类名和方法名称需要反射,并且会大大减慢日志记录的速度 - 通常是同步操作。我的猜测是,在网络监控应用程序中,您确实不希望这样。
如果您将方法名称硬编码到日志消息中(通过使其成为消息的一部分或按类别),那就是另一回事了。作为一名安全人员,我不认为这有什么大不了的——如果你的代码是用 Java 编写的,它无论如何都可以被逆转,所以你的代码应该以这样的方式运行,即使代码被白送了。
话虽这么说,您可以为开发和生产使用不同的日志配置,或者这些细粒度的消息可以进入调试、跟踪等。如果您使用 log4j,通常建议使用 isDebugEnabled< /code> 包装任何包含动态计算内容的日志记录语句,因为在日志记录语句确定是否启用之前计算这些日志记录语句。
Before considering the security implications of it, consider the performance. In most logging systems, getting the actual classname and method name dynamically by the logging facility requires reflection and dramatically slows down the logging - usually a synchronous operation. My guess is that in a network monitoring application, you really don't want that.
If you're hard-coding the method name into the log message (either by making it part of the message or by the category), that's a different story. As a security person, I don't consider it to be that big of a deal - if your code is in Java, it can be reversed anyhow, so your code should operate in such a way that it would be secure even if the code was given away.
All that being said, you could either use a different logging configuration for development and production, or those fine-grained messages could go in debug, trace, etc. If you're using log4j, it's generally advisable to use
isDebugEnabled
to wrap any logging statements which include anything dynamically-calculated as those get calculated before the logging statement determines whether it's enabled.log4j/logback/slf4j 允许您为不同的附加程序使用不同的格式。对于开发,您可以启用控制台附加程序,在格式中包含类名,而对于最终用户,您可以省略它(对于文件附加程序)
log4j/logback/slf4j allow you to have different formats for different appenders. For development you can enable a console appender where you include the class name in the format, while for the end-users you can omit it (for a file appender)
值得一提的是,这种日志记录在 Java 中的性能成本很高,而在 C++ 中,这种日志记录通常使用预处理器来实现。幸运的是,使用 log4j/logback,您可以打开和关闭它 - 遵循 Bozho 的建议。
It's worth mentioning that such logging is performance costly in Java, contrary to C++ where it is usually implemented with preprocessor. Fortunately, with log4j/logback you can switch it on and off — follow Bozho's advice.