You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by su...@apache.org on 2015/04/27 16:38:26 UTC
knox git commit: KNOX-534 auditing shiro authentication exceptions
Repository: knox
Updated Branches:
refs/heads/master 734d425b7 -> cc37cf2fd
KNOX-534 auditing shiro authentication exceptions
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/cc37cf2f
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/cc37cf2f
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/cc37cf2f
Branch: refs/heads/master
Commit: cc37cf2fd73ac678373f535248901586fac03084
Parents: 734d425
Author: Sumit Gupta <su...@apache.org>
Authored: Mon Apr 27 10:37:46 2015 -0400
Committer: Sumit Gupta <su...@apache.org>
Committed: Mon Apr 27 10:37:46 2015 -0400
----------------------------------------------------------------------
.../gateway/shirorealm/KnoxLdapRealm.java | 26 ++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/cc37cf2f/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
index c797c06..3079416 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
@@ -40,6 +40,13 @@ import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import org.apache.hadoop.gateway.GatewayMessages;
+import org.apache.hadoop.gateway.audit.api.Action;
+import org.apache.hadoop.gateway.audit.api.ActionOutcome;
+import org.apache.hadoop.gateway.audit.api.AuditService;
+import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
+import org.apache.hadoop.gateway.audit.api.Auditor;
+import org.apache.hadoop.gateway.audit.api.ResourceType;
+import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationInfo;
@@ -110,7 +117,11 @@ import org.apache.shiro.util.StringUtils;
public class KnoxLdapRealm extends JndiLdapRealm {
private static GatewayMessages LOG = MessagesFactory.get( GatewayMessages.class );
-
+ private static AuditService auditService = AuditServiceFactory.getAuditService();
+ private static Auditor auditor = auditService.getAuditor(
+ AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+ AuditConstants.KNOX_COMPONENT_NAME );
+
private static final String MEMBER_SUBSTITUTION_TOKEN = "{0}";
private final static SearchControls SUBTREE_SCOPE = new SearchControls();
private final static SearchControls ONELEVEL_SCOPE = new SearchControls();
@@ -157,7 +168,18 @@ public class KnoxLdapRealm extends JndiLdapRealm {
setCredentialsMatcher(credentialsMatcher);
}
- /**
+ @Override
+ //KNOX-534 overriding this method to be able to audit authentication exceptions
+ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws org.apache.shiro.authc.AuthenticationException {
+ try {
+ return super.doGetAuthenticationInfo(token);
+ } catch ( org.apache.shiro.authc.AuthenticationException e ) {
+ auditor.audit( Action.AUTHENTICATION , token.getPrincipal().toString(), ResourceType.PRINCIPAL, ActionOutcome.FAILURE, e.getMessage() );
+ throw e;
+ }
+ }
+
+ /**
* Get groups from LDAP.
*
* @param principals