<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Audit Logging Design Notes
</h3>
<span style="margin-bottom: 10px;">
modified by <a href="https://community.jboss.org/people/kabirkhan">Kabir Khan</a> in <i>JBoss AS 7 Development</i> - <a href="https://community.jboss.org/docs/DOC-18812">View the full document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Design notes for work on <span style="color: #333333;"><a class="jive-link-external-small" href="https://issues.jboss.org/browse/WFLY-456">https://issues.jboss.org/browse/WFLY-456</a></span> (formerly <a class="jive-link-external-small" href="https://issues.jboss.org/browse/AS7-444">https://issues.jboss.org/browse/AS7-444</a>).</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>My current development topic branch for this is <a class="jive-link-external-small" href="https://github.com/kabir/wildfly/tree/WFLY-456-audit-log">https://github.com/kabir/wildfly/tree/WFLY-456-audit-log</a> (More current than <a class="jive-link-external-small" href="https://github.com/bstansberry/jboss-as/tree/AS7-444">https://github.com/bstansberry/jboss-as/tree/AS7-444</a>, note that these are personal branches; I make no guarantees not to change its commit history.)  This branch is based on work previously done by John Bailey.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Design notes:</p><p>1) Processing location in OperationContext</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) when done</p><p>b) when decision to not proceed is made in OperationContext</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>2) Log record format:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) date</p><p>b) read-only?</p><p>c) boot?</p><p>d) (if boot) version (as string???)</p><p>e) rollback?</p><p>f) userid (TODO get this somehow)</p><p>g) uuid (for domain ops only, to track across processes)</p><p>h) isServer?</p><p>i) primary (domain or server) model hash</p><p>j) if (!isServer) secondary (host) model hash</p><p>k) overall hash</p><p>l) num operations</p><p>m) operations (one at a time)</p><p>n) length of a->j (scan from end to last boot during validation; alternative is to write the length first and scan from beginning to last boot)</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>3) Index record format:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) overall hash</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>4) Mgmt operations</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) truncate (back to last boot)</p><p> i) don't discard previous; just write under a different file name</p><p>b) read log (params -- from (default 0); batch-size (default 20; -1 means all))</p><p>c) validate log</p><p>d) config changes</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>5) Validation:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) compare persisted model hash to current model</p><p>b) scan back through log to last config-file-modified boot or version-change boot. We stop at version-change boot to avoid spurious validation problems resulting from changes in model construction across versions </p><p>c) recreate by re-running ops</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>-- validation problems</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) need to verify model hash at each stage -- special controller that ignores all runtime ops</p><p>  i) problem -- how to recreate domain ops involving remote slaves that don't exist?</p><p>  ii) problem -- ops with attachments -- attachments won't exist</p><p>  iii) this "special controller" could end up duplicating a lot of logic just for validation</p><p>b) reads and runtime ops cannot be verified against model; it can only be confirmed that their hash is consistent with subsequent hashes in the log. Tamper resistant as modification would require modifying all subsequent log entries, but not tamper proof as this could be done.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>6) Domain mode</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) tracking requests from master to slaves</p><p>apply a uuid to requests</p><p>-- as a header</p><p>include uuid in log record</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>b) detecting host.xml config changes at boot</p><p>problem -- can't detect host.xml config changes at boot, as model changes may be due to domain.xml stuff coming from the master</p><p>so, independent domain and host logging</p><p>but, what about non-model affecting ops? log twice?</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>c) domain logging on slaves? only if --backup-dc is set? -- no simpler to just log</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>d) remote-slave-only logging on master?</p><p>yes, to maintain a complete record of what was done</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>7) Non-model-affecting ops</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) re-calculating the model hash for all such ops is too expensive</p><p>b) store the hash(es) in the ModelController along with the model</p><p>c) provide the hash along with the model to OperationContext</p><p>d) when model is updated recalc hashes</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>8) Config</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) <audit-log> element</p><p>b) part of <management> section</p><p>c) resource is /core-service=audit-log</p><p>d) attributes</p><p> i) path (NO -- we need to know the location when first logging, before we have processed ops to set it)</p><p> ii) relative-to (NO -- we need to know the location when first logging, before we have processed ops to set it)</p><p> iii) log-read-only?</p><p> iv) daily-rolling??? (hassle; tempting to defer to later release but it's probably necessary immediately)</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>9) Other issues</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>a) disable logging overhead for dev scenarios</p><p>  i) to disable it during initial boot (until whatever config element that turns it on/off is read) -- maintain log data in memory and only write on last boot op</p><p>b) parallel boot handlers should not log</p><p>c) fluctuating model hashes</p><p>  i) if op took the controller lock, that lock ensures proper ordering of model hashes</p><p>  ii) if op does not take controller lock (reads) earlier model hashes can intermix with later -- validation needs to account for this</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>Suggested configuration</strong></p><p>Only relevant elements to audit logging have been included in the following examples.</p><p><strong><em>jboss-as-config (i.e. standlone.xml and host.xml)</em><br/></strong></p><p>This defines a set of audit-log-appenders which are referenced by the audit-log element. </p><p>Currently encryption/tamper detection is not a requirement so all logs are done in clear text. If encryption/tamper detection later becomes a requirement this could be added by for example an audit-log-formatters section which configures whatever we would like to use for encryption/tamper detection and the file-audit-log-appender and syslog-audit-log-appender could individually be made to reference an audit-log-formatter.</p><pre class="jive-pre"><code class="jive-code jive-xml">    <span class="jive-xml-tag"><xs:complexType name="domain-managementType"></span>
        <span class="jive-xml-tag"><xs:annotation></span>
            <span class="jive-xml-tag"><xs:documentation></span>
                Domain-wide default configuration settings for the management of standalone servers and a Host Controller.
            <span class="jive-xml-tag"></xs:documentation></span>
        <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"><xs:sequence></span>
            <span class="jive-xml-tag"><xs:element name="security-realms" minOccurs="0"></span>
                <span class="jive-xml-tag"><xs:complexType></span>
                    <span class="jive-xml-tag"><xs:sequence></span>
                        <span class="jive-xml-tag"><xs:element name="security-realm" type="security-realmType" minOccurs="1"
                                    maxOccurs="unbounded"/></span>
                    <span class="jive-xml-tag"></xs:sequence></span>
                <span class="jive-xml-tag"></xs:complexType></span>
            <span class="jive-xml-tag"></xs:element></span>
            <span class="jive-xml-tag"><xs:element name="outbound-connections" minOccurs="0"></span>
                <span class="jive-xml-tag"><xs:complexType></span>
                    <span class="jive-xml-tag"><xs:sequence></span>
                      <span class="jive-xml-tag"><xs:element name="ldap" type="ldapType" minOccurs="1" /></span> <span class="jive-xml-comment"><!-- TODO minOccurs only while ldap is only supported connection. -->
                    <span class="jive-xml-tag"></xs:sequence></span>
                <span class="jive-xml-tag"></xs:complexType></span>
            <span class="jive-xml-tag"></xs:element></span>
            <span class="jive-xml-tag"><xs:sequence minOccurs="0"></span>
               <span class="jive-xml-tag"><xs:element name="audit-log-appenders" type="audit-log-appendersType"/></span>
               <span class="jive-xml-tag"><xs:element name="audit-log" type="audit-logType"/></span>
            <span class="jive-xml-tag"></xs:sequence></span>
        <span class="jive-xml-tag"></xs:sequence></span>
    <span class="jive-xml-tag"></xs:complexType></span>
    <span class="jive-xml-tag"><xs:complexType name="audit-log-appendersType"></span>
        <span class="jive-xml-tag"><xs:annotation></span>
            <span class="jive-xml-tag"><xs:documentation></span>
                Declaration of management operation audit logging appenders.
            <span class="jive-xml-tag"></xs:documentation></span>
        <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"><xs:choice minOccurs="1" maxOccurs="unbounded"></span>
            <span class="jive-xml-tag"><xs:element name="file-appender" type="file-audit-log-appenderType"/></span>
            <span class="jive-xml-tag"><xs:element name="syslog-appender" type="syslog-audit-log-appenderType"/></span>
        <span class="jive-xml-tag"></xs:choice></span>
    <span class="jive-xml-tag"></xs:complexType></span>
    <span class="jive-xml-tag"><xs:complexType name="file-audit-log-appenderType"></span>
         <span class="jive-xml-tag"><xs:annotation></span>
            <span class="jive-xml-tag"><xs:documentation></span>
               Configuration of a simple file appender for the audit log. This writes to a local file without any encryption or tamper detection applied to the file.
            <span class="jive-xml-tag"></xs:documentation></span>
         <span class="jive-xml-tag"></xs:annotation></span>
         <span class="jive-xml-tag"><xs:attribute name="name" type="xs:string" use="required"></span>
            <span class="jive-xml-tag"><xs:annotation></span>
                <span class="jive-xml-tag"><xs:documentation></span>
                    The name of the appender
                <span class="jive-xml-tag"></xs:documentation></span>
            <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"></xs:attribute></span>
         <span class="jive-xml-tag"><xs:attribute name="path" type="xs:string" use="required"></span>
            <span class="jive-xml-tag"><xs:annotation></span>
                <span class="jive-xml-tag"><xs:documentation></span>
                    The path of the audit log.
                <span class="jive-xml-tag"></xs:documentation></span>
            <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"></xs:attribute></span>
        <span class="jive-xml-tag"><xs:attribute name="relative-to" use="optional" type="xs:string"></span>
            <span class="jive-xml-tag"><xs:annotation></span>
                <span class="jive-xml-tag"><xs:documentation></span>
                    The name of another previously named path, or of one of the
                    standard paths provided by the system. If 'relative-to' is
                    provided, the value of the 'path' attribute is treated as
                    relative to the path specified by this attribute.
                <span class="jive-xml-tag"></xs:documentation></span>
            <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"></xs:attribute></span>
    <span class="jive-xml-tag"></xs:complexType></span>
    <span class="jive-xml-tag"><xs:complexType name="syslog-audit-log-appenderType"></span>
         <span class="jive-xml-tag"><xs:annotation></span>
            <span class="jive-xml-tag"><xs:documentation></span>
               Configuration of a syslog file appender for the audit log. This writes to a local file without any encryption or tamper detection applied to the file.
            <span class="jive-xml-tag"></xs:documentation></span>
         <span class="jive-xml-tag"></xs:annotation></span>
         <span class="jive-xml-tag"><xs:sequence></span>
                   <span class="jive-xml-tag"><xs:attribute name="name" type="xs:string" use="required"></span>
                      <span class="jive-xml-tag"><xs:annotation></span>
                          <span class="jive-xml-tag"><xs:documentation></span>
                              The name of the appender
                          <span class="jive-xml-tag"></xs:documentation></span>
                      <span class="jive-xml-tag"></xs:annotation></span>
                    <span class="jive-xml-tag"></xs:attribute></span>
            <span class="jive-xml-tag"><xs:element name="truststore" type="keyStoreType" minOccurs="0"></span>
                <span class="jive-xml-tag"><xs:annotation></span>
                    <span class="jive-xml-tag"><xs:documentation></span>
                        TODO - can we define more than one truststore in java? The normal way seems to be to set -Djavax.net.ssl.trustStore, and there is
                        already one in authenticationType. It looks like there might be a way, although we would need to extend syslog4j to be able to use SSLContext.
                        Configuration of a keystore to use to create a trust manager to verify clients.
                    <span class="jive-xml-tag"></xs:documentation></span>
                <span class="jive-xml-tag"></xs:annotation></span>
            <span class="jive-xml-tag"></xs:element></span>
            <span class="jive-xml-tag"><xs:element name="client-certificate-authentication" type="keyStoreType" minOccurs="0"></span>
                <span class="jive-xml-tag"><xs:annotation></span>
                    <span class="jive-xml-tag"><xs:documentation></span>
                        TODO - Look into if it is possible to extend syslog4j to use SSLContext. 
                        Configuration of a keystore containing a client certificate and private key, e.g. in PKCS12 format.
                    <span class="jive-xml-tag"></xs:documentation></span>
                <span class="jive-xml-tag"></xs:annotation></span>
            <span class="jive-xml-tag"></xs:element></span>
            <!-- TODO other configuration, such as retries etc. --></span>
         <span class="jive-xml-tag"></xs:sequence></span>
         <span class="jive-xml-tag"><xs:attribute name="protocol" use="required"></span>
            <span class="jive-xml-tag"><xs:simpleType></span>
               <span class="jive-xml-tag"><xs:restriction base="xs:string"></span>
                  <span class="jive-xml-tag"><xs:enumeration value="udp"/></span>
                  <span class="jive-xml-tag"><xs:enumeration value="tcp"/></span>
                  <span class="jive-xml-tag"><xs:enumeration value="tls"/></span>
               <span class="jive-xml-tag"></xs:restriction></span>
            <span class="jive-xml-tag"></xs:simpleType></span>
         <span class="jive-xml-tag"></xs:attribute></span>
         <span class="jive-xml-tag"><xs:attribute name="host" default="localhost"/></span>
         <span class="jive-xml-tag"><xs:attribute name="port" default="514"/></span>
    <span class="jive-xml-tag"></xs:complexType></span>
    <span class="jive-xml-tag"><xs:complexType name="audit-logType"></span>
        <span class="jive-xml-tag"><xs:annotation></span>
            <span class="jive-xml-tag"><xs:documentation></span>
                Declaration of management operation audit logging configuration coming from the model controller core.
            <span class="jive-xml-tag"></xs:documentation></span>
        <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"><xs:choice minOccurs="0" maxOccurs="unbounded"></span>
            <span class="jive-xml-tag"><xs:element name="appenders" type="audit-log-appenders-refType" minOccurs="0"/></span>
        <span class="jive-xml-tag"></xs:choice></span>
        <span class="jive-xml-tag"><xs:attribute name="log-read-only" type="xs:boolean" default="false"></span>
            <span class="jive-xml-tag"><xs:annotation></span>
                <span class="jive-xml-tag"><xs:documentation></span>
                    Whether operations that do not modify the configuration or any runtime services should be logged.
                <span class="jive-xml-tag"></xs:documentation></span>
            <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"></xs:attribute></span>
        <span class="jive-xml-tag"><xs:attribute name="enabled" type="xs:boolean" default="true"></span>
            <span class="jive-xml-tag"><xs:annotation></span>
                <span class="jive-xml-tag"><xs:documentation></span>
                    Whether audit logging is enabled.
                <span class="jive-xml-tag"></xs:documentation></span>
            <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"></xs:attribute></span>
    <span class="jive-xml-tag"></xs:complexType></span>
    <span class="jive-xml-tag"><xs:complexType name="audit-log-appenders-refType"></span>
        <span class="jive-xml-tag"><xs:annotation></span>
          <span class="jive-xml-tag"><xs:documentation></span>
             References to audit-log-appenders defined in the audit-log-appenders section
          <span class="jive-xml-tag"></xs:documentation></span>
        <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"><xs:choice minOccurs="1"></span>
            <span class="jive-xml-tag"><xs:element name="appender" type="audit-log-appender-refType" minOccurs="0"/></span>
        <span class="jive-xml-tag"></xs:choice></span>
    <span class="jive-xml-tag"></xs:complexType></span>
    <span class="jive-xml-tag"><xs:complexType name="audit-log-appender-refType"></span>
                <span class="jive-xml-tag"><xs:annotation></span>
                  <span class="jive-xml-tag"><xs:documentation></span>
                     A reference to an audit-log-appender defined in the audit-log-appenders section
                  <span class="jive-xml-tag"></xs:documentation></span>
                <span class="jive-xml-tag"></xs:annotation></span>
                <span class="jive-xml-tag"><xs:attribute name="appender" type="xs:string" use="required"/></span>
    <span class="jive-xml-tag"></xs:complexType></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><em><strong>jboss-as-jmx (jmx subsystem)</strong></em></p><p>References the appenders set up in the audit-log-appenders section. This allows for both shared and separate audit logs for core management operations and jmx operations. </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml">    <span class="jive-xml-tag"><xs:complexType name="subsystem"></span>
      <span class="jive-xml-tag"><xs:sequence></span>
         <span class="jive-xml-tag"><xs:element name="expose-resolved-model" type="resolvedModelType" minOccurs="0" maxOccurs="1"/></span>
         <span class="jive-xml-tag"><xs:element name="expose-expression-model" type="expressionModelType" minOccurs="0" maxOccurs="1"/></span>
         <span class="jive-xml-tag"><xs:element name="remoting-connector" type="remotingConnectorRefType" minOccurs="0"/></span>
         <span class="jive-xml-tag"><xs:element name="audit-log" type="audit-logType" minOccurs="0"/></span>
      <span class="jive-xml-tag"></xs:sequence></span>
    <span class="jive-xml-tag"></xs:complexType></span>
   
    <span class="jive-xml-tag"><xs:complexType name="audit-logType"></span>
        <span class="jive-xml-tag"><xs:annotation></span>
            <span class="jive-xml-tag"><xs:documentation></span>
                Declaration of management operation audit logging configuration.
            <span class="jive-xml-tag"></xs:documentation></span>
        <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-comment"><!--
         Don't allow separate appenders for jmx for now
        <span class="jive-xml-tag"><xs:choice minOccurs="0" maxOccurs="unbounded"></span>
            <span class="jive-xml-tag"><xs:element name="appenders" type="audit-log-appenders-refType" minOccurs="0"/></span>
        <span class="jive-xml-tag"></xs:choice></span>
         -->
        <span class="jive-xml-tag"><xs:attribute name="log-read-only" type="xs:boolean" default="false"></span>
            <span class="jive-xml-tag"><xs:annotation></span>
                <span class="jive-xml-tag"><xs:documentation></span>
                    Whether operations that do not modify the configuration or any runtime services should be logged.
                <span class="jive-xml-tag"></xs:documentation></span>
            <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"></xs:attribute></span>
        <span class="jive-xml-tag"><xs:attribute name="enabled" type="xs:boolean" default="true"></span>
            <span class="jive-xml-tag"><xs:annotation></span>
                <span class="jive-xml-tag"><xs:documentation></span>
                    Whether audit logging is enabled.
                <span class="jive-xml-tag"></xs:documentation></span>
            <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"></xs:attribute></span>
    <span class="jive-xml-tag"></xs:complexType></span>
   
    <!--
    Don't allow separate appenders for jmx for now
    <span class="jive-xml-tag"><xs:complexType name="audit-log-appenders-refType"></span>
        <span class="jive-xml-tag"><xs:annotation></span>
          <span class="jive-xml-tag"><xs:documentation></span>
             References to audit-log-appenders defined in the audit-log-appenders section
          <span class="jive-xml-tag"></xs:documentation></span>
        <span class="jive-xml-tag"></xs:annotation></span>
        <span class="jive-xml-tag"><xs:choice minOccurs="1"></span>
            <span class="jive-xml-tag"><xs:element name="appender" type="audit-log-appender-refType" minOccurs="0"/></span>
        <span class="jive-xml-tag"></xs:choice></span>
    <span class="jive-xml-tag"></xs:complexType></span>
   
    <span class="jive-xml-tag"><xs:complexType name="audit-log-appender-refType"></span>
         <span class="jive-xml-tag"><xs:annotation></span>
           <span class="jive-xml-tag"><xs:documentation></span>
              A reference to an audit-log-appender defined in the audit-log-appenders section
           <span class="jive-xml-tag"></xs:documentation></span>
         <span class="jive-xml-tag"></xs:annotation></span>
         <span class="jive-xml-tag"><xs:attribute name="appender" type="xs:string" use="required"/></span>
    <span class="jive-xml-tag"></xs:complexType></span>
    --></span>
</code></pre></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Comment by <a href="https://community.jboss.org/docs/DOC-18812">going to Community</a></p>
<p style="margin: 0;">Create a new document in JBoss AS 7 Development at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2225">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>