You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by "Hiram Chirino (JIRA)" <ji...@apache.org> on 2011/08/29 13:59:37 UTC
[jira] [Updated] (APLO-84) Log more information in case of
authorization failures
[ https://issues.apache.org/jira/browse/APLO-84?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hiram Chirino updated APLO-84:
------------------------------
Component/s: apollo-stomp
apollo-broker
Fix Version/s: 1.0
Assignee: Hiram Chirino
Totally agree.
> Log more information in case of authorization failures
> ------------------------------------------------------
>
> Key: APLO-84
> URL: https://issues.apache.org/jira/browse/APLO-84
> Project: ActiveMQ Apollo
> Issue Type: Improvement
> Components: apollo-broker, apollo-stomp
> Reporter: Lionel Cons
> Assignee: Hiram Chirino
> Fix For: 1.0
>
>
> In case of failed plain text connection, we get:
> 2011-08-29 09:21:26,936 connected: local:/192.168.183.22:6123, remote:/192.168.208.50:44390
> 2011-08-29 09:21:26,947 STOMP connection '/192.168.208.50:44390' error: Connect not authorized. Username=monitor
> 2011-08-29 09:21:26,951 disconnected: local:/192.168.183.22:6123, remote:/192.168.208.50:44390
> But in case of failed X.509 connection, we only get:
> 2011-08-29 09:21:42,961 connected: local:/192.168.183.22:6133, remote:/192.168.208.50:33530
> 2011-08-29 09:21:43,009 STOMP connection '/192.168.208.50:33530' error: Connect not authorized.
> 2011-08-29 09:21:43,011 disconnected: local:/192.168.183.22:6133, remote:/192.168.208.50:33530
> Would it be possible to also log the DN that failed to authenticate?
> More generally, in case of authorization failure, we get minimal
> information:
> 2011-08-29 09:36:42,061 connected: local:/192.168.183.22:6133, remote:/192.168.208.50:49343
> 2011-08-29 09:36:42,214 STOMP connection '/192.168.208.50:49343' error: Not authorized to receive from the destination.
> 2011-08-29 09:36:42,217 disconnected: local:/192.168.183.22:6133, remote:/192.168.208.50:49343
> Would it be possible to log more and include the identity (ideally, a
> list of pairs of principal kind + value) and the destination (probably
> as a pair of kind + name)?
> This extra information would greatly help creating and testing authorization rules as per APLO-56...
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira