You could file a Bug/RFE stating your point and i can make sure i take care of it for the next release.
Thanks.
On 22-Aug-2011, at 5:34 PM, Kumar Jayanti wrote:
>
> On 22-Aug-2011, at 2:11 PM, forums_at_java.net wrote:
>
>> [quote=Kumar Jayanti Guest]On 19-Aug-2011, at 9:35 PM, forums_at_java.net [1]
>> wrote:
>>
>>> Fixed in 3.1.2. as well. : 17209
>>
>> Great!
>>
>>>> But should a login error really be considered a *server* problem at all?
>>
>>> Its not but there has to be an INFO or Warning Log in the server. It has
>> been a WARNING for a long time.
>>
>> Yes, the level WARNING (with its traceback) is clearly inappropriate.
>>
>>>>> What you are suggesting can be done using a Custom Audit Module where
>> all authentication and authorization events are audited.
>>
>>>> Sounds promising. Would that totally eliminate the log entry in
>> server.log?
>>
>>> No it won't, it is in addition to what would be in server.log. This is
>> incase you want to collect all security related events in a separate
>> security.log.
>>
>> Login failures should definitely logged somewhere, yes. And since such events
>> are not server problems, they should be logged somewhere else than in
>> server.log, for example in a security.log. "Normal" events like that would
>> otherwise fill server.log with messages, obscuring *real* server problems.
>>
>>>> Any pointers to howtos on this would be much appreciated.
>>
>>> http://glassfish.java.net/docs/#allinone [2] Look for the section on Audit
>> Modules and Custom Audit modules in the Security Guide.
>>
>> Thanks!
>>
>> Using the Admin Console I enabled Audit Logging and activated the default
>> Audit Module (by setting its property 'auditOn' to 'true'), as per the GF
>> Security Guide (p. 116). But that produces gazillions of totally
>> uninteresting INFO messages in server.log. Not precisely what I hoped for.
>> :-/
>
>>
>> So what is needed is an Audit Module that just logs failed login attempts to
>> a security.log, and then install it in GlassFish.
> Right, the unfortunate part is that the current default Audit Module logs things to server.log itself. For the next release i can look at introducing a new one that writes not just Authentication but also the Authorization failures to an audit.log or security.log (as you suggest)
>
> For now you can easily write one and make it the default.
>> (But that won't eliminate
>> the existing message to server.log, would it?)
>
> It would not eliminate what is in server.log today (I mean the ones that appear without the Audit Being Enabled). But like i said i fixed the log to just be a single line instead of a stack-trace.
>>
>> I would therefore suggest that the current message to server.log is shifted
>> to DEBUG level (or whatever), and that Glassfish is by default distributed
>> and configured with an Audit Module that logs the failed login attempts to a
>> separate security.log file. The existence of a separate and default
>> security.log would also be very helpful in raising the factual security of
>> all Glassfish installations everywhere, since sysadmins then can easily see
>> what's going on. Please consider adding that!
>>
> point taken. It is just that we always felt any org using glassfish would for sure add a custom audit module that logs things in a way that fits the standards and tools of the organization and hence we never pushed for changing the default behavior.
>
> regards,
> kumar
>>
>>
>>
>> [1] mailto:forums_at_java.net
>> [2] http://glassfish.java.net/docs/#allinone
>>
>> --
>>
>> [Message sent by forum member 'tmpsa']
>>
>> View Post: http://forums.java.net/node/834556
>>
>>
>