Zzzz/Book-management-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
781ce4697e6f0aacfca7be13d6893dd6f0a164aa
Book-management-system/.trellis/tasks/04-28-windows-login-diagnostic-logs/prd.md
T
Zzzz 781ce4697e add logging
2026-04-28 18:37:26 +08:00

83 lines
4.7 KiB
Markdown
Raw Blame History

# Add Windows Login Diagnostic Logs
## Goal
Add safe server-side diagnostic logs to the login/authentication path so a Windows-built deployment that returns `用户名或密码不正确。` can be diagnosed without exposing passwords, password hashes, or database credentials.
## What I Already Know
* The previous frontend rebuild task is solved and has been archived.
* On the Windows system build, login now reaches the invalid-credentials path: `用户名或密码不正确。`
* The user believes the database connection is probably already working.
* Existing login flow is `LoginServlet` -> `AuthServiceImpl` -> `JdbcUserDao.findActiveByUsername` -> `JdbcUtil`.
* `AuthServiceImpl` currently logs only generic login failure/success/service-error messages.
* Existing backend specs require login failures to keep the same generic user-facing message and to log server-side details for unavailable services.
## Requirements
* Add diagnostic logging around login POST handling, authentication lookup, password verification outcome, and database configuration/connection attempts.
* Logs must help distinguish:
* request reached `LoginServlet`;
* username normalization changed the submitted username;
* active user row was not found;
* user row was found but password verification failed;
* database configuration was loaded and which JDBC URL/user key were used, with secrets redacted;
* JDBC driver/connection failures if they happen.
* Do not log raw passwords, password hashes, salts, database passwords, or full sensitive config values.
* Preserve the current user-facing Chinese error message and login behavior.
* Keep the implementation in the existing Servlet + service + DAO + JDBC stack.
* Prefer `java.util.logging` patterns already used in the project.
* Document and seed explicit local/demo initial credentials so new deployments are not blocked by unrecoverable password hashes:
* `admin` / `admin123`
* `librarian` / `librarian123`
* `reader` / `reader123`
* Make clear that these demo passwords are for local scaffold verification only and must be changed or removed before non-local/production use.
## Acceptance Criteria
* [x] Login failure logs identify whether the username was absent, not found, or found with password mismatch.
* [x] Login request logs include safe request diagnostics such as remote address, context path, redirect presence, and submitted username length or sanitized username.
* [x] Database logs confirm `db.properties` loading and JDBC connection attempts with password redacted.
* [x] No log statement outputs a raw password, password hash, salt, or database password.
* [x] Existing login success/failure behavior remains unchanged for users.
* [x] `mvn test` or the closest available Maven verification command succeeds.
* [x] README lists the local/demo initial login accounts and passwords with an explicit non-production warning.
* [x] `schema.sql` seed user hashes verify against the documented demo passwords for new deployments.
* [x] Existing deployments have a documented SQL reset path or warning explaining that `INSERT IGNORE` will not overwrite existing user rows.
## Definition Of Done
* Diagnostic logging implemented in source.
* Maven verification run and results reported.
* No database schema changes.
* No unrelated frontend/layout changes.
## Out Of Scope
* Changing password hashing rules or seed user credentials.
* Adding a new logging framework.
* Changing database schema or production credentials.
* Reworking the login UI.
* Committing generated build artifacts.
## Technical Notes
* Likely impacted files:
* `src/main/java/com/mzh/library/controller/LoginServlet.java`
* `src/main/java/com/mzh/library/service/impl/AuthServiceImpl.java`
* `src/main/java/com/mzh/library/dao/impl/JdbcUserDao.java`
* `src/main/java/com/mzh/library/util/JdbcUtil.java`
* Relevant specs:
* `.trellis/spec/backend/logging-guidelines.md`
* `.trellis/spec/backend/database-guidelines.md`
* `.trellis/spec/backend/quality-guidelines.md`
* Verification completed at 2026-04-28 18:22 +0800:
* `/home/sjy/.sdkman/candidates/maven/current/bin/mvn test` passed with `BUILD SUCCESS`.
* `/home/sjy/.sdkman/candidates/maven/current/bin/mvn package` passed with `BUILD SUCCESS` and produced `target/library-management.war`.
* `git diff --check` passed.
* Sensitive logger scan only found boolean password state fields, `password=<redacted>`, and `password-mismatch` category labels.
* Verification completed at 2026-04-28 18:33 +0800:
* `PasswordHasher.verify` returned `true` for `admin/admin123`, `librarian/librarian123`, and `reader/reader123` against the updated `schema.sql` PBKDF2 hashes.
* `/home/sjy/.sdkman/candidates/maven/current/bin/mvn verify` passed with `BUILD SUCCESS`.
* `git diff --check` passed.
Reference in New Issue View Git Blame Copy Permalink