1 Reply Latest reply on May 24, 2011 12:07 AM by justincranford

How to replace LogAuditProvider

justincranford May 23, 2011 8:02 PM

How can I replace or override LogAuditProvider in JBoss? I want to store security audit records in a central database, not in log files spread out between different JBoss instances.

How can I configure this in JBoss 6.0?

I came across a JBoss 5 post by Anil saying it is possible to override LogAuditProvider, or use the DB appender in Log4j. I prefer the override approach, to avoid the unnecessary overhead of Log4j, and to have more control over the data (i.e. extract, transform, load, and filter).

I tried to add <audit> to my login-config.xml but it is ignored. I was hoping Anil's PicketBox examples using conf/audit.conf in a stand-alone JUnit test would work the same way with JBoss' login-config.xml, but it does not work. Please help!

*** The <audit> entry in my login-config.xml is ignored. Is there an alternative to turn on for WEB and EJB ***

<policy>
<application-policy name="JustinCranfordSecurityDomain">
<authentication>
   <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
    <module-option name="dsJndiName">java:/MsSqlDS</module-option>
    <module-option name="principalsQuery">SELECT password FROM actor WHERE name=?</module-option>
    <module-option name="rolesQuery">SELECT r.name,'Roles' FROM actor a,role r WHERE r.id=a.roleid AND a.name=?</module-option>
    <module-option name="hashAlgorithm">MD5</module-option>
    <module-option name="hashEncoding">base64</module-option>
    <module-option name="unauthenticatedIdentity">unauthenticated</module-option>
   </login-module>

   <login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule" flag="required">
    <module-option name="securityDomain">java:/jaas/JustinCranfordSecurityDomain</module-option>
    <module-option name="dsJndiName">java:/MsSqlDS</module-option>
    <module-option name="principalsQuery">SELECT password FROM actor WHERE dname=?</module-option>
    <module-option name="rolesQuery">SELECT r.name,'Roles' FROM actor a,role r WHERE r.id=a.roleid AND a.dname=?</module-option>
    <module-option name="hashAlgorithm">MD5</module-option>
    <module-option name="hashEncoding">base64</module-option>
    <module-option name="unauthenticatedIdentity">unauthenticated</module-option>
   </login-module>
   <login-module code="org.jboss.security.ClientLoginModule" flag="required"></login-module>
   <audit>
    <provider-module code="com.mycom.security.MyAuditProvider"/>
   </audit>
</authentication>
</application-policy>
</policy>

1. Re: How to replace LogAuditProvider

justincranford May 24, 2011 12:07 AM (in response to justincranford)

Problem solved. My <audit> XML block needs to be a sibling of <authorization>, not a child of it.

I would take issue with the lack of error messages in the <application-policy> main parser and helper parsers. I had to dig through source code in ApplicationPolicyParser.java to figure out the solution. That was a lot of wasted time due to the lack of error messages.

The problem I have is all of the helper XML parsers called by ApplicationPolicyParser.route() silently fail, and allow parsing to continue. In my case, AuthenticationConfigParser is called to parse my <authorization> block. It loops through the children of <authentication> looking for <login-module>, but when it hits an unknown entry like my <audit> it breaks out of the loop AND lets parsing continue.

The fix for this is to improve error logging in ApplicationPolicyParser.java, and all of its helper XML parsers. Alternatively, throw an exception to stop parsing when an unknown XML node is encountered by any of the helper parsers. This will improve ease of development.
Actions