[quote=Kumar Jayanti Guest]On 19-Aug-2011, at 9:35 PM, forums_at_java.net [1]
wrote:
> Fixed in 3.1.2. as well. : 17209
Great!
> > But should a login error really be considered a *server* problem at all?
> Its not but there has to be an INFO or Warning Log in the server. It has
been a WARNING for a long time.
Yes, the level WARNING (with its traceback) is clearly inappropriate.
> > > What you are suggesting can be done using a Custom Audit Module where
all authentication and authorization events are audited.
> > Sounds promising. Would that totally eliminate the log entry in
server.log?
> No it won't, it is in addition to what would be in server.log. This is
incase you want to collect all security related events in a separate
security.log.
Login failures should definitely logged somewhere, yes. And since such events
are not server problems, they should be logged somewhere else than in
server.log, for example in a security.log. "Normal" events like that would
otherwise fill server.log with messages, obscuring *real* server problems.
> > Any pointers to howtos on this would be much appreciated.
> http://glassfish.java.net/docs/#allinone [2] Look for the section on Audit
Modules and Custom Audit modules in the Security Guide.
Thanks!
Using the Admin Console I enabled Audit Logging and activated the default
Audit Module (by setting its property 'auditOn' to 'true'), as per the GF
Security Guide (p. 116). But that produces gazillions of totally
uninteresting INFO messages in server.log. Not precisely what I hoped for.
:-/
So what is needed is an Audit Module that just logs failed login attempts to
a security.log, and then install it in GlassFish. (But that won't eliminate
the existing message to server.log, would it?)
I would therefore suggest that the current message to server.log is shifted
to DEBUG level (or whatever), and that Glassfish is by default distributed
and configured with an Audit Module that logs the failed login attempts to a
separate security.log file. The existence of a separate and default
security.log would also be very helpful in raising the factual security of
all Glassfish installations everywhere, since sysadmins then can easily see
what's going on. Please consider adding that!
[1] mailto:forums_at_java.net
[2]
http://glassfish.java.net/docs/#allinone
--
[Message sent by forum member 'tmpsa']
View Post: http://forums.java.net/node/834556