On 22-Aug-2011, at 2:11 PM, forums_at_java.net wrote:
> [quote=Kumar Jayanti Guest]On 19-Aug-2011, at 9:35 PM, forums_at_java.net [1]
> wrote:
>
> > Fixed in 3.1.2. as well. : 17209
>
> Great!
>
> > > But should a login error really be considered a *server* problem at all?
>
> > Its not but there has to be an INFO or Warning Log in the server. It has
> been a WARNING for a long time.
>
> Yes, the level WARNING (with its traceback) is clearly inappropriate.
>
> > > > What you are suggesting can be done using a Custom Audit Module where
> all authentication and authorization events are audited.
>
> > > Sounds promising. Would that totally eliminate the log entry in
> server.log?
>
> > No it won't, it is in addition to what would be in server.log. This is
> incase you want to collect all security related events in a separate
> security.log.
>
> Login failures should definitely logged somewhere, yes. And since such events
> are not server problems, they should be logged somewhere else than in
> server.log, for example in a security.log. "Normal" events like that would
> otherwise fill server.log with messages, obscuring *real* server problems.
>
> > > Any pointers to howtos on this would be much appreciated.
>
> > http://glassfish.java.net/docs/#allinone [2] Look for the section on Audit
> Modules and Custom Audit modules in the Security Guide.
>
> Thanks!
>
> Using the Admin Console I enabled Audit Logging and activated the default
> Audit Module (by setting its property 'auditOn' to 'true'), as per the GF
> Security Guide (p. 116). But that produces gazillions of totally
> uninteresting INFO messages in server.log. Not precisely what I hoped for.
> :-/
>
> So what is needed is an Audit Module that just logs failed login attempts to
> a security.log, and then install it in GlassFish.
Right, the unfortunate part is that the current default Audit Module logs things to server.log itself. For the next release i can look at introducing a new one that writes not just Authentication but also the Authorization failures to an audit.log or security.log (as you suggest)
For now you can easily write one and make it the default.
> (But that won't eliminate
> the existing message to server.log, would it?)
It would not eliminate what is in server.log today (I mean the ones that appear without the Audit Being Enabled). But like i said i fixed the log to just be a single line instead of a stack-trace.
>
> I would therefore suggest that the current message to server.log is shifted
> to DEBUG level (or whatever), and that Glassfish is by default distributed
> and configured with an Audit Module that logs the failed login attempts to a
> separate security.log file. The existence of a separate and default
> security.log would also be very helpful in raising the factual security of
> all Glassfish installations everywhere, since sysadmins then can easily see
> what's going on. Please consider adding that!
>
point taken. It is just that we always felt any org using glassfish would for sure add a custom audit module that logs things in a way that fits the standards and tools of the organization and hence we never pushed for changing the default behavior.
regards,
kumar
>
>
>
> [1] mailto:forums_at_java.net
> [2] http://glassfish.java.net/docs/#allinone
>
> --
>
> [Message sent by forum member 'tmpsa']
>
> View Post: http://forums.java.net/node/834556
>
>