users@glassfish.java.net

Re: Asserting a user and access logging

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Fri, 31 Jul 2009 12:36:09 -0700

On 07/31/09 12:07 PM, glassfish_at_javadesktop.org wrote:
> I ran into the same problem. We are using jcifs.http.NtlmHttpFilter for authentication. The access logs show NULL-AUTH-USER. I saw your solution, copying the remoteUser into request scope in every application and logging using %attribute.<name>%. We have around 20 web apps though. So this did not seem like a reliable solution. I considered modifying jcifs source but jcifs is a library in every webapp currently, so all would need to be modified. I found that JCIFS puts the username in a session attribute called NtlmHttpAuth. Glassfish doesn't have any documented method to log session variables. So I searched through the glassfish source code for any undocumented features. No session logging.
>
> I found that with adding one line of code to glassfish I could make JCIFS authenticated user access logging work.
>
> I added:
>
> if (user == null && hreq.getSession(false) != null && hreq.getSession(false).getAttribute("NtlmHttpAuth") != null) { user =
> hreq.getSession(false).getAttribute("NtlmHttpAuth").toString(); }
>
> in com\sun\enterprise\web\accesslog\DefaultAccessLogFormatterImpl.java appendAuthUserName method (line 388).
>
> I compiled it and put it in:
> C:\Sun\AppServer\lib\appserv-rt.jar
>
> We are running Sun GlassFish Enterprise Server v2.1 (9.1.1). I only compiled and added that one java file to appserv-rt.jar. I used source from:
> GlassFish Project - v2.1 FinalBuild (also known as v2.1 b60e Promoted Build).
>
> This isn't the best way to patch glassfish but it is working.
>

I just filed this enhancement request:

  https://glassfish.dev.java.net/issues/show_bug.cgi?id=8966
  ("Add support for access-logging of session attributes")

and I'm about to commit a fix for it (to GlassFish v3).

I've introduced a new access-log pattern element "%session.<name>%",
which will log the value of the session attribute with name <name>,
NULL-SESSION-ATTRIBUTE-<name> if the named attribute does
not exist in the session, and NULL-SESSION if no session exists.

Hope this helps. :)

Thanks,

Jan

> [Message sent by forum member 'thekyle2000' (thekyle2000)]
>
> http://forums.java.net/jive/thread.jspa?messageID=358412
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>