You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2016/03/29 23:13:12 UTC
karaf git commit: KARAF-4414 - Add LogAuditLoginModule and disable
the FileAuditLoginModule by default
Repository: karaf
Updated Branches:
refs/heads/karaf-4.0.x 01bb45867 -> 27befd2fa
KARAF-4414 - Add LogAuditLoginModule and disable the FileAuditLoginModule by default
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/27befd2f
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/27befd2f
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/27befd2f
Branch: refs/heads/karaf-4.0.x
Commit: 27befd2fa58acd9519200fab5e15906acad22450
Parents: 01bb458
Author: Jean-Baptiste Onofré <jb...@apache.org>
Authored: Tue Mar 29 23:12:41 2016 +0200
Committer: Jean-Baptiste Onofré <jb...@apache.org>
Committed: Tue Mar 29 23:12:41 2016 +0200
----------------------------------------------------------------------
.../resources/etc/org.ops4j.pax.logging.cfg | 13 +++++
.../jaas/modules/audit/LogAuditLoginModule.java | 61 ++++++++++++++++++++
.../karaf/jaas/modules/impl/Activator.java | 5 +-
.../karaf/jaas/modules/impl/KarafRealm.java | 11 ++++
4 files changed, 89 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/27befd2f/assemblies/features/base/src/main/resources/resources/etc/org.ops4j.pax.logging.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.ops4j.pax.logging.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.ops4j.pax.logging.cfg
index ca35d6d..ee4c969 100644
--- a/assemblies/features/base/src/main/resources/resources/etc/org.ops4j.pax.logging.cfg
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.ops4j.pax.logging.cfg
@@ -21,6 +21,10 @@
log4j.rootLogger=INFO, out, osgi:*
log4j.throwableRenderer=org.apache.log4j.OsgiThrowableRenderer
+# Security audit logger
+log4j.logger.org.apache.karaf.jaas.modules.audit=INFO, audit
+log4j.additivity.org.apache.karaf.jaas.modules.audit=false
+
# CONSOLE appender not used by default
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
@@ -35,6 +39,15 @@ log4j.appender.out.append=true
log4j.appender.out.maxFileSize=1MB
log4j.appender.out.maxBackupIndex=10
+# Audit appender
+log4j.appender.audit=org.apache.log4j.RollingFileAppender
+log4j.appender.audit.layout=org.apache.log4j.PatternLayout
+log4j.appender.audit.layout.ConversionPattern=%d{ISO8601} | %-5.5p | %-16.16t | %-32.32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n
+log4j.appender.audit.file=${karaf.data}/security/audit.log
+log4j.appender.audit.append=true
+log4j.appender.audit.maxFileSize=1MB
+log4j.appender.audit.maxBackupIndex=10
+
# Sift appender
log4j.appender.sift=org.apache.log4j.sift.MDCSiftingAppender
log4j.appender.sift.key=bundle.name
http://git-wip-us.apache.org/repos/asf/karaf/blob/27befd2f/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/audit/LogAuditLoginModule.java
----------------------------------------------------------------------
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/audit/LogAuditLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/audit/LogAuditLoginModule.java
new file mode 100644
index 0000000..f9e6915
--- /dev/null
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/audit/LogAuditLoginModule.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * under the License.
+ */
+package org.apache.karaf.jaas.modules.audit;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import java.util.Map;
+
+public class LogAuditLoginModule extends AbstractAuditLoginModule {
+
+ public static final String LOG_LEVEL_OPTION = "level";
+ public static final String LOG_LOGGER_OPTION = "logger";
+
+ private String level = "INFO";
+ private Logger logger;
+
+ public void initialize(Subject subject, CallbackHandler callbackHandler,
+ Map sharedState, Map options) {
+ super.initialize(subject, callbackHandler, sharedState, options);
+ level = (String) options.get(LOG_LEVEL_OPTION);
+ logger = LoggerFactory.getLogger((String) options.get(LOG_LOGGER_OPTION));
+ }
+
+ protected synchronized void audit(Action action, String username) {
+ String actionStr;
+ switch (action) {
+ case ATTEMPT: actionStr = "Authentication attempt"; break;
+ case SUCCESS: actionStr = "Authentication succeeded"; break;
+ case FAILURE: actionStr = "Authentication failed"; break;
+ case LOGOUT: actionStr = "Explicit logout"; break;
+ default: actionStr = action.toString(); break;
+ }
+ if (level.equalsIgnoreCase("debug")) {
+ logger.debug("{} - {}", actionStr, username);
+ } else if (level.equalsIgnoreCase("trace")) {
+ logger.trace("{} - {}", actionStr, username);
+ } else if (level.equalsIgnoreCase("warn")) {
+ logger.warn("{} - {}", actionStr, username);
+ } else if (level.equalsIgnoreCase("error")) {
+ logger.error("{} - {}", actionStr, username);
+ } else {
+ logger.info("{} - {}", actionStr, username);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/karaf/blob/27befd2f/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/Activator.java
----------------------------------------------------------------------
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/Activator.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/Activator.java
index ae53396..8e37aea 100644
--- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/Activator.java
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/Activator.java
@@ -110,8 +110,11 @@ public class Activator extends BaseActivator implements ManagedService {
populate(config, ENCRYPTION_ALGORITHM, "MD5");
populate(config, ENCRYPTION_ENCODING, "hexadecimal");
populate(config, EVENTADMIN_ENABLED, "true");
- populate(config, "audit.file.enabled", "true");
+ populate(config, "audit.file.enabled", "false");
populate(config, "audit.file.file", System.getProperty("karaf.data") + "/security/audit.log");
+ populate(config, "audit.log.enabled", "true");
+ populate(config, "audit.log.logger", "org.apache.karaf.jaas.modules.audit.LogAuditLoginModule");
+ populate(config, "audit.log.level", "info");
populate(config, "audit.eventadmin.enabled", "true");
populate(config, "audit.eventadmin.topic", "org/apache/karaf/login");
config.put(BundleContext.class.getName(), bundleContext);
http://git-wip-us.apache.org/repos/asf/karaf/blob/27befd2f/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/KarafRealm.java
----------------------------------------------------------------------
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/KarafRealm.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/KarafRealm.java
index 2ec6445..7998dc3 100644
--- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/KarafRealm.java
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/impl/KarafRealm.java
@@ -22,6 +22,7 @@ import javax.security.auth.login.AppConfigurationEntry;
import org.apache.karaf.jaas.boot.ProxyLoginModule;
import org.apache.karaf.jaas.config.JaasRealm;
+import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
public class KarafRealm implements JaasRealm {
@@ -31,6 +32,7 @@ public class KarafRealm implements JaasRealm {
private static final String PROPERTIES_MODULE = "org.apache.karaf.jaas.modules.properties.PropertiesLoginModule";
private static final String PUBLIC_KEY_MODULE = "org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule";
private static final String FILE_AUDIT_MODULE = "org.apache.karaf.jaas.modules.audit.FileAuditLoginModule";
+ private static final String LOG_AUDIT_MODULE = "org.apache.karaf.jaas.modules.audit.LogAuditLoginModule";
private static final String EVENTADMIN_AUDIT_MODULE = "org.apache.karaf.jaas.modules.audit.EventAdminAuditLoginModule";
private static final String MODULE = "org.apache.karaf.jaas.module";
@@ -86,6 +88,14 @@ public class KarafRealm implements JaasRealm {
fileOptions.put("enabled", properties.get("audit.file.enabled"));
fileOptions.put("file", properties.get("audit.file.file"));
+ Map<String, Object> logOptions = new HashMap<>();
+ logOptions.put(BundleContext.class.getName(), bundleContext);
+ logOptions.put(ProxyLoginModule.PROPERTY_MODULE, LOG_AUDIT_MODULE);
+ logOptions.put(ProxyLoginModule.PROPERTY_BUNDLE, Long.toString(bundleContext.getBundle().getBundleId()));
+ logOptions.put("enabled", properties.get("audit.log.enabled"));
+ logOptions.put("logger", properties.get("audit.log.logger"));
+ logOptions.put("level", properties.get("audit.log.level"));
+
Map<String, Object> eventadminOptions = new HashMap<>();
eventadminOptions.putAll(properties);
eventadminOptions.put(BundleContext.class.getName(), bundleContext);
@@ -98,6 +108,7 @@ public class KarafRealm implements JaasRealm {
new AppConfigurationEntry(ProxyLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, propertiesOptions),
new AppConfigurationEntry(ProxyLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, publicKeyOptions),
new AppConfigurationEntry(ProxyLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, fileOptions),
+ new AppConfigurationEntry(ProxyLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, logOptions),
new AppConfigurationEntry(ProxyLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, eventadminOptions)
};
}