Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 413105

Summary: Disable verbose Openid logging
Product: [ECD] Orion Reporter: John Arthorne <john.arthorne>
Component: ServerAssignee: Maciej Bendkowski <maciej.bendkowski>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: maciej.bendkowski, Szymon.Brandys
Version: 3.0   
Target Milestone: 4.0 M1   
Hardware: PC   
OS: Windows 7   
Whiteboard:

Description John Arthorne CLA 2013-07-16 14:38:29 EDT 
Looking at the logs on orionhub.org, I think we are logging far too much information by default on openid handshakes. I have deleted some details here to protect the user but here is an example for one login:

Jul 16, 2013 2:26:14 PM org.openid4java.server.RealmVerifier setEnforceRpId
WARNING: RP discovery / realm validation disabled;
Jul 16, 2013 2:26:14 PM org.openid4java.server.RealmVerifier setEnforceRpId
WARNING: RP discovery / realm validation disabled;
Jul 16, 2013 2:26:14 PM org.openid4java.discovery.Discovery discover
INFO: Starting discovery on URL identifier: https://www.google.com/...
Jul 16, 2013 2:26:15 PM org.openid4java.discovery.yadis.YadisResolver discover
INFO: Yadis discovered 1 endpoints from: https://www.google.com/...
Jul 16, 2013 2:26:15 PM org.openid4java.discovery.Discovery discover
INFO: Discovered 1 OpenID endpoints.
Jul 16, 2013 2:26:15 PM org.openid4java.consumer.ConsumerManager associate
INFO: Trying to associate with https://www.google.com/... attempts left: 4
Jul 16, 2013 2:26:15 PM org.apache.commons.httpclient.HttpMethodBase getResponseBody
WARNING: Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
Jul 16, 2013 2:26:15 PM org.openid4java.consumer.ConsumerManager associate
INFO: Associated with https://www.google.com/accounts/... handle: 1.AMlYA9XP3F2lPHzMalvq-dSlNOTmoDn5Oq-mz50nsseXQWzcUYUHtemGNnUZ8vqhD3EP36bix0TIOA
Jul 16, 2013 2:26:15 PM org.openid4java.consumer.ConsumerManager authenticate
INFO: Creating authentication request for OP-endpoint: https://www.google.com/accounts/... claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select
Jul 16, 2013 2:26:15 PM org.openid4java.server.RealmVerifier match
INFO: Return URL: https://orionhub.org/login/openid?op_return=true&redirect=https%3A%2F%2Forionhub.org%2F matches realm: https://orionhub.org
Jul 16, 2013 2:26:15 PM org.openid4java.consumer.ConsumerManager verify
INFO: Verifying authentication response...
Jul 16, 2013 2:26:15 PM org.openid4java.consumer.ConsumerManager verify
INFO: Received positive auth response.
Jul 16, 2013 2:26:15 PM org.openid4java.discovery.Discovery discover
INFO: Starting discovery on URL identifier: https://www.google.com/accounts/...
Jul 16, 2013 2:26:16 PM org.openid4java.discovery.yadis.YadisResolver discover
INFO: Yadis discovered 5 endpoints from: https://www.google.com/accounts/...
Jul 16, 2013 2:26:16 PM org.openid4java.discovery.Discovery discover
INFO: Discovered 5 OpenID endpoints.
Jul 16, 2013 2:26:16 PM org.openid4java.consumer.ConsumerManager verifySignature
INFO: Found association: 1.AMlYA9XP3F2lPHzMalvq-dSlNOTmoDn5Oq-mz50nsseXQWzcUYUHtemGNnUZ8vqhD3EP36bix0TIOA verifying signature local
Comment 1 John Arthorne CLA 2013-07-16 14:40:06 EDT 
Maciej I know you have been looking into logging, can you change our configuration to fix this. I don't think we need any of this detail by default. We have our own logging of the final result (login success/failure) which I think is enough by default.
Comment 2 Maciej Bendkowski CLA 2013-07-18 09:21:34 EDT 
Pushed to master: http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=b4f77f78ef94ecbb3b56044f11ebec1f109d7b83

I've changed the openid4java log level to WARN. Fixing this bug revealed that we had different log implementations running in Orion. Openid4java uses log4j which, until now, was not overridden by our logback configuration. I've added bridges to log4j and jul, which should cover all third-part library log implementations.
Comment 3 Maciej Bendkowski CLA 2013-07-18 09:23:17 EDT 
If someone's interested, here's an interesting example how it might be forced in Jetty: http://www.eclipse.org/jetty/documentation/current/example-logging-logback-centralized.html
Comment 4 John Arthorne CLA 2013-07-18 09:44:30 EDT 
That commit will break the build. There is some builder changes needed when new bundles are added, and for third party bundles a CQ is needed.
Comment 5 Maciej Bendkowski CLA 2013-07-18 10:05:57 EDT 
I've reverted the appropriate commit.
CQ requests have been sent:

https://dev.eclipse.org/ipzilla/show_bug.cgi?id=7430
https://dev.eclipse.org/ipzilla/show_bug.cgi?id=7431

Sorry for the misunderstanding.
Comment 6 Maciej Bendkowski CLA 2013-07-18 11:38:10 EDT 
Updated CQs to 1.6.4 version:

https://dev.eclipse.org/ipzilla/show_bug.cgi?id=7433
https://dev.eclipse.org/ipzilla/show_bug.cgi?id=7432
Comment 7 John Arthorne CLA 2013-07-22 15:54:02 EDT 
The CQ's have been approved, and I have added map entries for the two new bundles:

http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=220d531d2b8f4b3f4672ec195269880a1197c88d

You can re-commit your change now.
Comment 8 Maciej Bendkowski CLA 2013-07-23 08:21:46 EDT 
Re-commited with:
http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=a51c941a723aab9f472a2e815d2f60479af349fb

Both bundles are now required in 1.6.4 version.