JDK-8358090 : Turn on timestamp and thread details by default for java.security.debug
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P4
  • Status: Provisional
  • Resolution: Unresolved
  • Fix Versions: 25
  • Submitted: 2025-05-29
  • Updated: 2025-05-30
Related Reports
CSR :  
JDK-8350689 - Turn on timestamp and thread metadata by default for java.security.debug
Description
Summary
-------

In JDK 23, JDK-8051959 introduced an option to add thread and timestamp data to the debug `java.security.debug` system property. This CSR proposes to make changes to emit that data always and remove the `+thread` and `+timestamp` options which were used to control the logging behavior. 

Problem
-------

By default, the `thread` and `timestamp` data remains off in the `java.security.debug` output. To enhance the security debug logs, the thread and timestamp data should always be present. This brings it to a par with another important security debug system property, the TLS debug property: javax.net.debug. Output from TLS `javax.net.debug` logs always contains thread and timestamp data.

Solution
--------

Remove the `+thread` and `+timestamp` support code and print thread and timestamp data by default. This enancement is only proposed for the JDK feature release. Update releases can continue to opt into such data.

Debug output data from use of the `java.security.debug` property will now resemble something like the following:


```
properties[0x10|main|Security.java:122|2025-05-01 14:59:42.859 UTC]: Initial security property: package.definition=sun.misc.,sun.reflect.
properties[0x10|main|Security.java:122|2025-05-01 14:59:42.859 UTC]: Initial security property: krb5.kdc.bad.policy=tryLast
```

Specification
-------------

 * The system property javadoc document, recently introduced via JDK-8328914, is updated to remove mention of the `+thread` and `+timestamp` options.
 * Update the `java.security.debug` help output to remove mention of the `+thread` and `+timestamp` options
 * A release note will accompany this change.
 * Continued use of the  `+thread` and `+timestamp` options will no longer have impact. The thread and timestamp data is always printed and valid security components used in the `java.security.debug` property will continue to be logged.
Comments
[~darcy] I did consider allowing a type of `-thread` and `-timestamp` option in `java.security.debug` but the cost of maintaining such code seemed to outweigh the benefits. For some security components, debug traffic is already quite random, different seeds and SecureRandom data will create different algorithm data, nonces etc. The `javax.net.debug` TLS debug flag adds similar decorators to debug output since 2018 and has no omit option. I haven't seen that become an issue for debugging scenarios. Filtering out thread and timestamp data could best be done via regex filtering. Pinging [~mullan] and [~weijun] in case they have thoughts on this suggestion.
30-05-2025
Moving to Provisional, not Approved. [~coffeys], are there use cases where omitting this information would be helpful? Getting reproducible output for example?
30-05-2025
Reads well to me (sans reviewer status).
29-05-2025