users@glassfish.java.net

Re: Asserting a user and access logging

From: Sam Crawford <samcrawford_at_gmail.com>
Date: Mon, 20 Jul 2009 22:30:17 +0100

Thanks Jan, much appreciated.

The filter runs as a part of a J2EE web application (the first filter in the
chain). As you suggest, I imagine that the logging valve is operating on the
original unwrapped request.

Do you know of any other way to achieve what I'm looking to do?

I've tried creating a custom JAAS authentication module (which looks
promising), but it seems an awful lot of code to achieve something
fundamentally very simple. Furthermore, some simple benchmarking after
enabling the JAAS module shows a ~20% decrease in requests/sec.

Any other suggestions would be very welcome!

Thanks,

Sam


2009/7/20 Jan Luehe <Jan.Luehe_at_sun.com>

> Sam,
>
>
> On 07/20/09 02:29 AM, Sam Crawford wrote:
>
> If this is the wrong mailing list, please can someone point me in the right
> direction?
>
> Thanks,
>
> Sam
>
>
> 2009/7/17 Sam Crawford <samcrawford_at_gmail.com>
>
>> Anyone have any suggestions?
>>
>> Thanks,
>>
>> Sam
>>
>>
>> 2009/7/16 Sam Crawford <samcrawford_at_gmail.com>
>>
>>> Morning all,
>>> Probably a fairly silly question, but I've googled and can't find the
>>> answer, so I'll ask here.
>>>
>>> We've written a custom authentication server filter that interacts with
>>> an SSO server. Now, we want to log the authenticated username as a part of
>>> the log line in the GlassFish access log. I had imagined this would be
>>> simply a case of wrapping the request in an HttpServletRequestWrapper and
>>> overriding getRemoteUser and getUserPrincipal. However, after doing this,
>>> the username recorded in the access log is still NULL-AUTH-USER.
>>>
>>> Does anyone know how to properly assert an identity such that it is
>>> logged properly by GlassFish into the access log?
>>>
>>
>
> Where in the request processing do you inject your "custom authentication
> server filter"?
>
> Note that access logging is implemented as a valve at the virtual-server
> level. The
> access logging valve logs the result of HttpServletRequest#getRemoteUser,
> which in turn
> returns the name of the principal (if any) returned by
> HttpServletRequest#getUserPrincipal.
>
> It looks like the access-logging valve is still operating on the original,
> "unwrapped"
> request/response objects, which would explain why NULL-AUTH-USER is being
> logged.
>
> Jan
>
>
>
>
>>> Thanks,
>>>
>>> Sam
>>>
>>
>>
>
>