JBoss AS7 Security Auditing

    Configure the Domain Model Logging Subsystem

     

     

            <subsystem xmlns="urn:jboss:domain:logging:1.1">
                <console-handler name="CONSOLE" autoflush="true">
                    <level name="INFO"/>
                    <formatter>
                        <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                    </formatter>
                </console-handler>
                <periodic-rotating-file-handler name="FILE" autoflush="true">
                    <level name="INFO"/>
                    <formatter>
                        <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                    </formatter>
                    <file relative-to="jboss.server.log.dir" path="server.log"/>
                    <suffix value=".yyyy-MM-dd"/>
                    <append value="true"/>
                </periodic-rotating-file-handler>
                <periodic-rotating-file-handler name="AUDIT" autoflush="true">
                    <level name="TRACE"/>
                    <formatter>
                        <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                    </formatter>
                    <file relative-to="jboss.server.log.dir" path="audit.log"/>
                    <suffix value=".yyyy-MM-dd"/>
                    <append value="true"/>
                </periodic-rotating-file-handler>
    
               <logger category="org.jboss.security.audit">
                    <level name="TRACE"/>
                    <handlers>
                        <handler name="AUDIT"/>
                    </handlers>
                </logger>
    
               <logger category="com.arjuna">
                    <level name="WARN"/>
                </logger>
                <logger category="org.apache.tomcat.util.modeler">
                    <level name="WARN"/>
                </logger>
                <logger category="sun.rmi">
                    <level name="WARN"/>
                </logger>
    
                <root-logger>
                    <level name="INFO"/>
                    <handlers>
                        <handler name="CONSOLE"/>
                        <handler name="FILE"/>
                    </handlers>
                </root-logger>
            </subsystem>
    

     

    The key changes to the logging subsystem are:

    • A new logger category for "org.jboss.security.audit"  is defined.
    • A periodic rotating file handler called "AUDIT" is defined.

     

    To crate audit.log one can you following CLI commands:

     

    /subsystem=logging/periodic-rotating-file-handler=AUDIT/:add(suffix=.yyyy-MM-dd,formatter=%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n,level=TRACE,file={"relative-to" => "jboss.server.log.dir","path" => "audit.log"})
    /subsystem=logging/logger=org.jboss.security.audit/:add(level=TRACE,category=org.jboss.security.audit,handlers=["AUDIT"])
    

     

    Web Applications

     

    To enable auditing in your web applications, please configure your jboss-web.xml for your web archive. The <disable-audit> flag should be set to false.

     

    <?xml version="1.0" encoding="UTF-8"?>
    <jboss-web>
       <security-domain>form-auth</security-domain>
       <disable-audit>false</disable-audit>
    </jboss-web>
    

     

    Quick Testing

     

    1. Attached is the form-auth.war.  Deploy it in standalone/deployments
    2. Make the standalone/configuration/standalone.xml changes to the logging subsystem as defined above.
    3. Start JBoss AS7
    4. Access http://localhost:8080/form-auth/                 (User:  anil           Password:  anil)
    5. If things are working, you should see audit.log  under standalone/log

     

    1:32:27,751 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http--127.0.0.1-8080-1) [Success]principal=GenericPrincipal[anil(user,)];
    

     

     

    Note:  You will need the following security domain added to standalone.xml

     

                    <security-domain name="form-auth" cache-type="default">
                        <authentication>
                            <login-module code="UsersRoles" flag="required">
                                <module-option name="usersProperties" value="users.properties"/>
                                <module-option name="rolesProperties" value="roles.properties"/>
                            </login-module>
                        </authentication>
                    </security-domain>