users@glassfish.java.net

Re: Login failures spams server.log

From: <forums_at_java.net>
Date: Tue, 23 Aug 2011 05:06:13 -0500 (CDT)

[quote=Kumar Jayanti Guest]

> You could file a Bug/RFE stating your point and i can make sure i take
care
of it for the next release. Thanks.

Ok, done. See http://java.net/jira/browse/GLASSFISH-17225 [1] .

>> So what is needed is an Audit Module that just logs failed login attempts
to
>> a security.log, and then install it in GlassFish.

> Right, the unfortunate part is that the current default Audit Module logs
things to server.log itself.

Precisely. (But your fix is really appreciated anyway!)

> For the next release i can look at introducing a new one that writes not
just Authentication but also the Authorization failures to an audit.log or
security.log (as you suggest)

My gut feeling is that a Better Default Audit Module (tm) should by default
*only* log failed login attempts to its audit.log. But it should of course
have a number of settable properties (default 'off') for logging other stuff
of interest.

> For now you can easily write one and make it the default.

Probably - if I can find the time to dig into the JavaDoc and learn how to do
that. :-)

>> I would therefore suggest that the current message to server.log is
shifted to DEBUG level (or whatever), and that Glassfish is by default
distributed and configured with an Audit Module that logs the failed login
attempts to a separate security.log file. The existence of a separate and
default security.log would also be very helpful in raising the factual
security of all Glassfish installations everywhere, since sysadmins then can
easily see what's going on. Please consider adding that!

> Point taken. It is just that we always felt any org using glassfish would
for sure add a custom audit module that logs things in a way that fits the
standards and tools of the organization and hence we never pushed for
changing the default behavior.

That's definitely true for large organizations that have the staff resources
to deal with such minor details. Byt I'll wager that for each large
organization running Glassfish in production (with plenty of local
modifications) there are twenty smaller ones that just run Glassfish in
production out-of-the-box.

Cheers!

 


[1] http://java.net/jira/browse/GLASSFISH-17225 

--
[Message sent by forum member 'tmpsa']
View Post: http://forums.java.net/node/834556
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.