-
1. Re: Providing Auditing Capabilities
anil.saldhana Jan 24, 2006 10:31 AM (in response to anil.saldhana)A bare minimum capability can be the following:
1) A seperate JMX based service called "Audit Service" exists. This has all the knowledge about logging levels, ignore list, security domain list to log(if needed, if not every domain will be logged) etc. The logs exist in the {jboss.server.dir}/log/audit directory with the format xxx-audit-log (where xxx is the security domain).
2) A flag exists in the Jaas Security Manager service that determines whether the auditing is on/off (OFF by default). If the audit is on, all operations on the security manager service will send audit events to the Audit service described in step 1. Now it is upto the Audit Service to determine whether it wants to log the event or not, based on the settings.
Issues:
1. Rolling over the audit logs periodically should be considered.
http://jira.jboss.com/jira/browse/JBAS-2738 -
2. Re: Providing Auditing Capabilities
anil.saldhana Aug 22, 2006 4:43 PM (in response to anil.saldhana)http://jira.jboss.com/jira/browse/JBAS-2738
has been implemented in HEAD. The default Audit Provider is a logging provider that basically takes advantage of logging configuration provided by the logging framework to send the log to a particular sink (file, database, jms etc) and provide rolling features.
A piece that is missing is the configuration of the audit providers at the security domain level.
Currently the web layer (JBossWebRealm) and the EJB Security Interceptor do the audit logging for authentication and authorization attempts.