Added origin audit logging.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 25 Aug 2003 20:29:50 +0000 (20:29 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 25 Aug 2003 20:29:50 +0000 (20:29 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@744 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/aa/AAServlet.java
src/edu/internet2/middleware/shibboleth/common/AuditLevel.java [new file with mode: 0644]
src/edu/internet2/middleware/shibboleth/hs/HandleServlet.java

index f5c60ec..cf4b0e8 100755 (executable)
@@ -81,6 +81,7 @@ import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
 import edu.internet2.middleware.shibboleth.aa.arp.ArpException;
 import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
 import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException;
+import edu.internet2.middleware.shibboleth.common.AuditLevel;
 import edu.internet2.middleware.shibboleth.common.AuthNPrincipal;
 import edu.internet2.middleware.shibboleth.common.ShibResource;
 import edu.internet2.middleware.shibboleth.hs.HandleRepository;
@@ -219,8 +220,7 @@ public class AAServlet extends HttpServlet {
                return properties;
        }
 
-       public void doPost(HttpServletRequest req, HttpServletResponse resp)
-               throws ServletException, IOException {
+       public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
 
                MDC.put("serviceId", "[AA] " + new SAMLIdentifier().toString());
                MDC.put("remoteAddr", req.getRemoteAddr());
@@ -231,8 +231,7 @@ public class AAServlet extends HttpServlet {
                try {
                        saml =
                                new AASaml(
-                                       configuration.getProperty(
-                                               "edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName"),
+                                       configuration.getProperty("edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName"),
                                        configuration.getProperty("edu.internet2.middleware.shibboleth.audiences").replaceAll(
                                                "\\s",
                                                "").split(
@@ -245,7 +244,7 @@ public class AAServlet extends HttpServlet {
                                // for testing
                                principal = new AuthNPrincipal("test-handle");
                        } else {
-                               principal = handleRepository.getPrincipal(saml.getHandle(),saml.getFormat());
+                               principal = handleRepository.getPrincipal(saml.getHandle(), saml.getFormat());
                        }
 
                        URL resource = null;
@@ -296,6 +295,31 @@ public class AAServlet extends HttpServlet {
                        saml.respond(resp, attrs, null);
                        log.info("Successfully responded about " + principal.getName());
 
+                       if (attrs.size() == 0) {
+                               log.log(
+                                       AuditLevel.AUDIT,
+                                       "Attribute assertion issued to SHAR ("
+                                               + saml.getShar()
+                                               + ") on behalf of principal ("
+                                               + principal.getName()
+                                               + "). No attributes released.");
+                       } else {
+                               Iterator iterator = attrs.iterator();
+                               StringBuffer attributeList = new StringBuffer();
+                               while (iterator.hasNext()) {
+                                       attributeList.append(((SAMLAttribute) iterator.next()).getName());
+                               }
+                               log.log(
+                                       AuditLevel.AUDIT,
+                                       "Attribute assertion issued to SHAR ("
+                                               + saml.getShar()
+                                               + ") on behalf of principal ("
+                                               + principal.getName()
+                                               + "). Attributes released: ("
+                                               + attributeList
+                                               + ").");
+                       }
+
                } catch (InvalidHandleException e) {
                        log.info("Could not associate the Attribute Query Handle with a principal: " + e);
                        try {
@@ -332,13 +356,9 @@ public class AAServlet extends HttpServlet {
                                if (configuration
                                        .getProperty("edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors", "false")
                                        .equals("true")) {
-                                       saml.fail(
-                                               resp,
-                                               new SAMLException(SAMLException.RESPONDER, "General error processing request.", e));
+                                       saml.fail(resp, new SAMLException(SAMLException.RESPONDER, "General error processing request.", e));
                                } else {
-                                       saml.fail(
-                                               resp,
-                                               new SAMLException(SAMLException.RESPONDER, "General error processing request."));
+                                       saml.fail(resp, new SAMLException(SAMLException.RESPONDER, "General error processing request."));
                                }
                                return;
                        } catch (Exception ee) {
diff --git a/src/edu/internet2/middleware/shibboleth/common/AuditLevel.java b/src/edu/internet2/middleware/shibboleth/common/AuditLevel.java
new file mode 100644 (file)
index 0000000..59b4d78
--- /dev/null
@@ -0,0 +1,103 @@
+/* 
+ * The Shibboleth License, Version 1. 
+ * Copyright (c) 2002 
+ * University Corporation for Advanced Internet Development, Inc. 
+ * All rights reserved
+ * 
+ * 
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice, this 
+ * list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice, 
+ * this list of conditions and the following disclaimer in the documentation 
+ * and/or other materials provided with the distribution, if any, must include 
+ * the following acknowledgment: "This product includes software developed by 
+ * the University Corporation for Advanced Internet Development 
+ * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement 
+ * may appear in the software itself, if and wherever such third-party 
+ * acknowledgments normally appear.
+ * 
+ * Neither the name of Shibboleth nor the names of its contributors, nor 
+ * Internet2, nor the University Corporation for Advanced Internet Development, 
+ * Inc., nor UCAID may be used to endorse or promote products derived from this 
+ * software without specific prior written permission. For written permission, 
+ * please contact shibboleth@shibboleth.org
+ * 
+ * Products derived from this software may not be called Shibboleth, Internet2, 
+ * UCAID, or the University Corporation for Advanced Internet Development, nor 
+ * may Shibboleth appear in their name, without prior written permission of the 
+ * University Corporation for Advanced Internet Development.
+ * 
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
+ * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
+ * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK 
+ * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. 
+ * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY 
+ * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, 
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package edu.internet2.middleware.shibboleth.common;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Priority;
+
+/**
+ * Custom Log4J <code>Level</code> implementation for creating Shibboleth
+ * Audit logs.
+ * 
+ * @author Walter Hoehn
+ *
+ */
+public class AuditLevel extends Level {
+
+       final static int AUDIT_INT = OFF_INT;
+       //TODO find out what syslog level should be used
+       final static public Level AUDIT = new AuditLevel(AUDIT_INT, "AUDIT", 0);
+
+       protected AuditLevel(int level, String levelStr, int syslogEquivalent) {
+               super(level, levelStr, syslogEquivalent);
+       }
+
+       //Effectively pulls this Level out of the hierarchy
+       public boolean isGreaterOrEqual(Priority r) {
+               if (r instanceof AuditLevel) {
+                       return true;
+               }
+               return false;
+       }
+
+       public static Level toLevel(int val, Level defaultLevel) {
+
+               if (val == AUDIT_INT) {
+                       return AUDIT;
+               }
+               return Level.toLevel(val, defaultLevel);
+       }
+
+       public static Level toLevel(String sArg, Level defaultLevel) {
+
+               if (sArg.equalsIgnoreCase("AUDIT")) {
+                       return AUDIT;
+               }
+               return Level.toLevel(sArg, defaultLevel);
+       }
+
+       /**
+          @deprecated This method will be removed with no replacement.
+       */
+       public static Priority[] getAllPossiblePriorities() {
+               return new Priority[] { Priority.FATAL, Priority.ERROR, Level.WARN, Priority.INFO, Priority.DEBUG, AUDIT };
+       }
+
+}
index 0950c39..cffa827 100644 (file)
@@ -83,6 +83,7 @@ import org.opensaml.SAMLException;
 import org.opensaml.SAMLResponse;
 
 import sun.misc.BASE64Decoder;
+import edu.internet2.middleware.shibboleth.common.AuditLevel;
 import edu.internet2.middleware.shibboleth.common.AuthNPrincipal;
 import edu.internet2.middleware.shibboleth.common.ShibPOSTProfile;
 import edu.internet2.middleware.shibboleth.common.ShibPOSTProfileFactory;
@@ -300,18 +301,30 @@ public class HandleServlet extends HttpServlet {
                        String header = configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.username");
                        String username = header.equalsIgnoreCase("REMOTE_USER") ? req.getRemoteUser() : req.getHeader(header);
 
-            StringBuffer format = new StringBuffer();
+                       StringBuffer format = new StringBuffer();
                        String handle = handleRepository.getHandle(new AuthNPrincipal(username), format);
                        log.info("Issued Handle (" + handle + ") to (" + username + ")");
 
                        byte[] buf =
                                generateAssertion(
                                        handle,
-                    format.toString(),
+                                       format.toString(),
                                        req.getParameter("shire"),
                                        req.getRemoteAddr(),
                                        configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod"));
 
+                       log.log(
+                               AuditLevel.AUDIT,
+                               "Authentication assertion issued to SHIRE ("
+                                       + req.getParameter("shire")
+                                       + ") on behalf of principal ("
+                                       + username
+                                       + ") for resource ("
+                                       + req.getParameter("target")
+                                       + "). Attribue Query Handle: ("
+                                       + handle
+                                       + ").");
+
                        createForm(req, res, buf);
 
                } catch (HandleRepositoryException ex) {