May 2013 - jboss-dev-forums - Jboss List Archives

[IronJacamar Development] - Data Source jboss 7.1.1

by Honda ...

Honda ... [https://community.jboss.org/people/honda23] created the discussion "Data Source jboss 7.1.1" To view the discussion, visit: https://community.jboss.org/message/817031#817031 -------------------------------------------------------------- i want validate connection before borrow from pool , i config data source as mention below but no validation happen before borrow connection from pool although 'select 1 from dual ' exist . so how can i config it to validate each connection . *jboss version :* 7.1.1 *Data Base :* Oracle 11* * > <datasource jta="false" jndi-name="java:/OracleDS" pool-name="OracleDS" enabled="true" use-java-context="true" use-ccm="true"> > <connection-url>jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = prod)(PORT = 1521)) (CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = prod)))</connection-url> > <driver>oracleDriver</driver> > <pool> > <min-pool-size>10</min-pool-size> > <max-pool-size>100</max-pool-size> > <prefill>true</prefill> > <flush-strategy>FailingConnectionOnly</flush-strategy> > </pool> > <security> > <user-name>name</user-name> > <password>pass</password> > </security> > <validation> > <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/> > <check-valid-connection-sql>select 1 from dua11</check-valid-connection-sql> > <validate-on-match>true</validate-on-match> > <background-validation>false</background-validation> > <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/> > <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/> > </validation> > <timeout> > <blocking-timeout-millis>5000</blocking-timeout-millis> > <idle-timeout-minutes>1</idle-timeout-minutes> > </timeout> > <statement> > <track-statements>true</track-statements> > </statement> > </datasource> > <drivers> > <driver name="oracleDriver" module="com.oracle.ojdbc6"> > <driver-class>oracle.jdbc.driver.OracleDriver</driver-class> > </driver> > </drivers> > </datasources> > thanks in advance , -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/817031#817031] Start a new discussion in IronJacamar Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

11 years, 8 months

1
0
0 / 0

Community Updates, May 2 - May 9

by JBoss Community

=============================================================== Community Updates for May 2 - May 9 =============================================================== Your Content * testing the new list server [https://community.jboss.org/thread/127309] was viewed 13,206 times and replied to by 3 people * No Link to Jboss Nukes [https://community.jboss.org/thread/90785] was viewed 111,550 times and replied to by 3 people Your Connections - Activity by people you are following You don't have any connections yet. Find people and connect! [https://community.jboss.org/people/] Popular Content - The content that is most viewed and participated in * Open Session in View [https://community.jboss.org/docs/DOC-13954] * Data Source Configuration in AS 7 [https://community.jboss.org/docs/DOC-16657] * Sessions and transactions [https://community.jboss.org/docs/DOC-13951] * how I set up a PostgreSQL JDBC Driver on JBoss 7 [https://community.jboss.org/blogs/amartin-blog/2012/02/08/how-to-set-up-a...] * Statement Regarding Security Threat to JBoss Application Server [https://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-secu...] * EAP binaries available for all developers [https://community.jboss.org/blogs/mark.little/2013/03/07/eap-binaries-ava...] * Re: HTTPS on JBoss AS 7 - truststore configuration [https://community.jboss.org/message/809854#809854] * Re: Jboss 7.1.2.Final is only for EAP? [https://community.jboss.org/message/810703#810703] * Re: java.net.BindException: Address already in use: JVM_Bind [https://community.jboss.org/message/795418#795418] Tips and tricks - Invite People to Join One of the big benefits of social business software is something called "Network Effects". In a nutshell, collaboration becomes most effective when there are a large number of people participating. Inviting people to join your community is one of the easiest ways to start. In Community, there are a number of ways to do this: Share something in Community by clicking "Send as Email" in the "Actions" menu. If your colleague isn't already a member then they'll have the opportunity to sign up. Invite people you work with from the "New" > "Invitation" menu in the user bar. Use Community to connect to your email and automatically discover and invite the colleagues you interact with the most. Don't worry, you'll be able to approve the list before any invitations are sent. Not interested in these emails anymore, or want to change how often they come? Update your email preferences by visiting: https://community.jboss.org/user-notification-preferences!input.jspa

11 years, 8 months

1
0
0 / 0

Re: [jboss-dev-forums] [JBoss AS 7 Development] - Design of AS7 multi-JSF feature

by Stan Silvert

Stan Silvert [https://community.jboss.org/people/ssilvert] commented on the document "Design of AS7 multi-JSF feature" To view all comments on this document, visit: https://community.jboss.org/docs/DOC-47689#comment-12038 -------------------------------------------------- > Nicklas Karlsson wrote: > > > > I noticed that the jsf-injection jar in the myfaces package (7.2.0.Alpha1-SNAPSHOT) no longer works with 7.2.0.Final. > Yes, the attachments are out of date. The version I'm working on now does not package the jsf-injection jar in the *.cli file. The jsf-injection jar actually does not need to be different for each slot. It's the same bits. The only difference is the JSF API slot that is listed as a dependency in the modules.xml for jsf-injection. I can't really explain it well, but you should see a better version of the *.cli file soon and it will make sense. Long story short, this feature is considered a Tech Preview until at least the first version or two of WildFly comes out. Stuff may break from version to version until we get things nailed down better. --------------------------------------------------

11 years, 8 months

1
0
0 / 0

[JBoss Transactions Development] - Re: JTA 1.2 Implementation Work

by Mark Little

Mark Little [https://community.jboss.org/people/marklittle] created the discussion "Re: JTA 1.2 Implementation Work" To view the discussion, visit: https://community.jboss.org/message/816974#816974 -------------------------------------------------------------- As soon as WF moves to adopt EE7 for all of its constituent components then JTA 1.2 should be the default. -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/816974#816974] Start a new discussion in JBoss Transactions Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

11 years, 8 months

1
0
0 / 0

[jBPM Development] - Is there any tool to migrate jBPM 4.4 version to jBPM 5.4?

by Anitha Suresh

Anitha Suresh [https://community.jboss.org/people/anne_10] created the discussion "Is there any tool to migrate jBPM 4.4 version to jBPM 5.4?" To view the discussion, visit: https://community.jboss.org/message/816972#816972 -------------------------------------------------------------- Hi, I have an application which is using jBPM 4.4 version for the workflow. I would like to migrate it from 4.4 to the 5.4 final version. Is there any tool provided for migration or do i need to rewrite the code?. i didn't get the exact solution for this.pls help. Thanks Anne -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/816972#816972] Start a new discussion in jBPM Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

11 years, 8 months

1
0
0 / 0

[JBoss AS 7 Development] - exclude XMLSEC and XALAN

by andrew.sc.syd

andrew.sc.syd [https://community.jboss.org/people/andrew.sc.syd] created the document: "exclude XMLSEC and XALAN" To view the document, visit: https://community.jboss.org/docs/DOC-48738 -------------------------------------------------------------- AS 7.1.1. I'm experiencing a version incompatibility between the XMLSEC (Santuario) and XALAN libraries used by Jboss. The error comes at the point where XMLSEC attempts to instatiate an XpathContext object. The XpathContext, in urn, has a private DTMManager which is being created by newInstance(). The newInstance returns an instance of org.apache.xml.dtm.ref.DTMManagerDefault which canot be cast to org.apache.xml.dtm.DTMManager. The XMLSecurityRuntimeException forgets to mention the original cause of ClassCastException. So, I'd rather use my own versions of XMLSEC and XALAN. I saw how JBoss uses it's own version of XMLSEC. It even replaces the version incorporated into the JDK. Here is the snippet from definition of javaee.api | | <module name="org.apache.santuario.xmlsec" export="true"> | | | <exports> | | | <include-set> | | | <path name="javax/xml/crypto"/> | | | <path name="javax/xml/crypto/dom"/> | | | <path name="javax/xml/crypto/dsig"/> | | | <path name="javax/xml/crypto/dsig/dom"/> | | | <path name="javax/xml/crypto/dsig/keyinfo"/> | | | <path name="javax/xml/crypto/dsig/spec"/> | | | </include-set> | | | </exports> | | | </module> | I read the advice given at https://community.jboss.org/message/637818#637818 https://community.jboss.org/message/637818 So, I tried my hand. In jboss-deployment-structure.xml I excluded the XmlSec used by Jboss <jboss-deployment-structure> <deployment> <exclusions> <module name="org.apache.xalan" /> <module name="org.apache.santuario.xmlsec"/> </exclusions> <dependencies> <module name="javaee.api" > <imports> <exclude-set> <path name="org.apache.santuario.xmlsec"/> </exclude-set> </imports> </module> </dependencies> </deployment> </jboss-deployment-structure> For some reason, it did not work. I can still see in the stack trace xmlsec.1.5.1 which is the JBoss version Regards, Andrew -------------------------------------------------------------- Comment by going to Community [https://community.jboss.org/docs/DOC-48738] Create a new document in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]

11 years, 8 months

1
0
0 / 0

[JBoss ESB Development] - How to get Proxy Name from invm EPR

by munimanjunath kalapati

munimanjunath kalapati [https://community.jboss.org/people/munimanjunath] created the discussion "How to get Proxy Name from invm EPR" To view the discussion, visit: https://community.jboss.org/message/816759#816759 -------------------------------------------------------------- I am trying to get proxyname from ESB message properties. For http gateway proxies there is a property called service-name but for proxies generated through EBWS the property service-name is not present. The only property I can get is invm epr from message header which I can use to correlate to proxyname. If somebody has any code snippet to get the proxyname through juddi query or db query please let me know my jboss soa is 5.0 the later versions has a new property for proxyname. -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/816759#816759] Start a new discussion in JBoss ESB Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

11 years, 8 months

1
1
0 / 0

[JBoss Web Development] - Error 403 instead of login page

by Jose Inacio Silva Junior

Jose Inacio Silva Junior [https://community.jboss.org/people/inacio-silva] created the discussion "Error 403 instead of login page" To view the discussion, visit: https://community.jboss.org/message/816892#816892 -------------------------------------------------------------- Hi, I'm working on an app with resteasy. The client (HTML, CSS, Javascript) reach the server via rest/json. When the session expires on server I see a message on JBoss Console: Entering logout ... logged out Subject Until now everything is ok. But when the client try to access the server after that through PUT or DELETE method, it receives an error 403. If the method is POST or GET it receives the login page. My problem is: I need to show a login page when the session expires since there are links in the app that the user doesn't have access and in that case the ajax receives 403. So, in the ajax, when I receive 403, I don't know if the session have expired or the user have tried to acess an unauthorized resource. The problem only appears with PUT and DELETE methods. Is it a bug? My Jboss 7.1.1 My web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2001/XMLSchema-instance" xmlns=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee" xmlns:web=" http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" metadata-complete="false" version="3.0"> <security-constraint> <display-name>protected resources</display-name> <web-resource-collection> <web-resource-name>all</web-resource-name> <description></description> <url-pattern>/restrito/*</url-pattern> <url-pattern>/rest/*</url-pattern> </web-resource-collection> <auth-constraint> <description></description> <role-name>pad_gestor</role-name> </auth-constraint> </security-constraint> <security-role> <description>Gestor</description> <role-name>pad_gestor</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <realm-name>JBoss</realm-name> <form-login-config> <form-login-page>/publico/login.html</form-login-page> </form-login-config> </login-config> </web-app> Thanks in advance! Inacio -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/816892#816892] Start a new discussion in JBoss Web Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

11 years, 8 months

1
0
0 / 0

[JBoss AS 7 Development] - Audit Logging Design Notes

by Kabir Khan

Kabir Khan [https://community.jboss.org/people/kabirkhan] modified the document: "Audit Logging Design Notes" To view the document, visit: https://community.jboss.org/docs/DOC-18812 -------------------------------------------------------------- Design notes for work on https://issues.jboss.org/browse/WFLY-456 (formerly https://issues.jboss.org/browse/AS7-444 https://issues.jboss.org/browse/AS7-444). My current development topic branch for this is https://github.com/kabir/wildfly/tree/WFLY-456-audit-log https://github.com/kabir/wildfly/tree/WFLY-456-audit-log (More current than https://github.com/bstansberry/jboss-as/tree/AS7-444 https://github.com/bstansberry/jboss-as/tree/AS7-444, note that these are personal branches; I make no guarantees not to change its commit history.) This branch is based on work previously done by John Bailey. Design notes: 1) Processing location in OperationContext a) when done b) when decision to not proceed is made in OperationContext 2) Log record format: a) date b) read-only? c) boot? d) (if boot) version (as string???) e) rollback? f) userid (TODO get this somehow) g) uuid (for domain ops only, to track across processes) h) isServer? i) primary (domain or server) model hash j) if (!isServer) secondary (host) model hash k) overall hash l) num operations m) operations (one at a time) n) length of a->j (scan from end to last boot during validation; alternative is to write the length first and scan from beginning to last boot) 3) Index record format: a) overall hash 4) Mgmt operations a) truncate (back to last boot) i) don't discard previous; just write under a different file name b) read log (params -- from (default 0); batch-size (default 20; -1 means all)) c) validate log d) config changes 5) Validation: a) compare persisted model hash to current model b) scan back through log to last config-file-modified boot or version-change boot. We stop at version-change boot to avoid spurious validation problems resulting from changes in model construction across versions c) recreate by re-running ops -- validation problems a) need to verify model hash at each stage -- special controller that ignores all runtime ops i) problem -- how to recreate domain ops involving remote slaves that don't exist? ii) problem -- ops with attachments -- attachments won't exist iii) this "special controller" could end up duplicating a lot of logic just for validation b) reads and runtime ops cannot be verified against model; it can only be confirmed that their hash is consistent with subsequent hashes in the log. Tamper resistant as modification would require modifying all subsequent log entries, but not tamper proof as this could be done. 6) Domain mode a) tracking requests from master to slaves apply a uuid to requests -- as a header include uuid in log record b) detecting host.xml config changes at boot problem -- can't detect host.xml config changes at boot, as model changes may be due to domain.xml stuff coming from the master so, independent domain and host logging but, what about non-model affecting ops? log twice? c) domain logging on slaves? only if --backup-dc is set? -- no simpler to just log d) remote-slave-only logging on master? yes, to maintain a complete record of what was done 7) Non-model-affecting ops a) re-calculating the model hash for all such ops is too expensive b) store the hash(es) in the ModelController along with the model c) provide the hash along with the model to OperationContext d) when model is updated recalc hashes 8) Config a) <audit-log> element b) part of <management> section c) resource is /core-service=audit-log d) attributes i) path (NO -- we need to know the location when first logging, before we have processed ops to set it) ii) relative-to (NO -- we need to know the location when first logging, before we have processed ops to set it) iii) log-read-only? iv) daily-rolling??? (hassle; tempting to defer to later release but it's probably necessary immediately) 9) Other issues a) disable logging overhead for dev scenarios i) to disable it during initial boot (until whatever config element that turns it on/off is read) -- maintain log data in memory and only write on last boot op b) parallel boot handlers should not log c) fluctuating model hashes i) if op took the controller lock, that lock ensures proper ordering of model hashes ii) if op does not take controller lock (reads) earlier model hashes can intermix with later -- validation needs to account for this *Suggested configuration* Only relevant elements to audit logging have been included in the following examples. *+jboss-as-config (i.e. standlone.xml and host.xml)+ * This defines a set of audit-log-appenders which are referenced by the audit-log element. Currently encryption/tamper detection is not a requirement so all logs are done in clear text. If encryption/tamper detection later becomes a requirement this could be added by for example an audit-log-formatters section which configures whatever we would like to use for encryption/tamper detection and the file-audit-log-appender and syslog-audit-log-appender could individually be made to reference an audit-log-formatter. <xs:complexType name="domain-managementType"> <xs:annotation> <xs:documentation> Domain-wide default configuration settings for the management of standalone servers and a Host Controller. </xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="security-realms" minOccurs="0"> <xs:complexType> <xs:sequence> <xs:element name="security-realm" type="security-realmType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="outbound-connections" minOccurs="0"> <xs:complexType> <xs:sequence> <xs:element name="ldap" type="ldapType" minOccurs="1" />  </xs:sequence> </xs:complexType> </xs:element> <xs:sequence minOccurs="0"> <xs:element name="audit-log-appenders" type="audit-log-appendersType"/> <xs:element name="audit-log" type="audit-logType"/> </xs:sequence> </xs:sequence> </xs:complexType> <xs:complexType name="audit-log-appendersType"> <xs:annotation> <xs:documentation> Declaration of management operation audit logging appenders. </xs:documentation> </xs:annotation> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element name="file-appender" type="file-audit-log-appenderType"/> <xs:element name="syslog-appender" type="syslog-audit-log-appenderType"/> </xs:choice> </xs:complexType> <xs:complexType name="file-audit-log-appenderType"> <xs:annotation> <xs:documentation> Configuration of a simple file appender for the audit log. This writes to a local file without any encryption or tamper detection applied to the file. </xs:documentation> </xs:annotation> <xs:attribute name="name" type="xs:string" use="required"> <xs:annotation> <xs:documentation> The name of the appender </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="path" type="xs:string" use="required"> <xs:annotation> <xs:documentation> The path of the audit log. </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="relative-to" use="optional" type="xs:string"> <xs:annotation> <xs:documentation> The name of another previously named path, or of one of the standard paths provided by the system. If 'relative-to' is provided, the value of the 'path' attribute is treated as relative to the path specified by this attribute. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> <xs:complexType name="syslog-audit-log-appenderType"> <xs:annotation> <xs:documentation> Configuration of a syslog file appender for the audit log. This writes to a local file without any encryption or tamper detection applied to the file. </xs:documentation> </xs:annotation> <xs:sequence> <xs:attribute name="name" type="xs:string" use="required"> <xs:annotation> <xs:documentation> The name of the appender </xs:documentation> </xs:annotation> </xs:attribute> <xs:element name="truststore" type="keyStoreType" minOccurs="0"> <xs:annotation> <xs:documentation> TODO - can we define more than one truststore in java? The normal way seems to be to set -Djavax.net.ssl.trustStore, and there is already one in authenticationType. It looks like there might be a way, although we would need to extend syslog4j to be able to use SSLContext. Configuration of a keystore to use to create a trust manager to verify clients. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="client-certificate-authentication" type="keyStoreType" minOccurs="0"> <xs:annotation> <xs:documentation> TODO - Look into if it is possible to extend syslog4j to use SSLContext. Configuration of a keystore containing a client certificate and private key, e.g. in PKCS12 format. </xs:documentation> </xs:annotation> </xs:element>  </xs:sequence> <xs:attribute name="protocol" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="udp"/> <xs:enumeration value="tcp"/> <xs:enumeration value="tls"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="host" default="localhost"/> <xs:attribute name="port" default="514"/> </xs:complexType> <xs:complexType name="audit-logType"> <xs:annotation> <xs:documentation> Declaration of management operation audit logging configuration coming from the model controller core. </xs:documentation> </xs:annotation> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="appenders" type="audit-log-appenders-refType" minOccurs="0"/> </xs:choice> <xs:attribute name="log-read-only" type="xs:boolean" default="false"> <xs:annotation> <xs:documentation> Whether operations that do not modify the configuration or any runtime services should be logged. </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="enabled" type="xs:boolean" default="true"> <xs:annotation> <xs:documentation> Whether audit logging is enabled. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> <xs:complexType name="audit-log-appenders-refType"> <xs:annotation> <xs:documentation> References to audit-log-appenders defined in the audit-log-appenders section </xs:documentation> </xs:annotation> <xs:choice minOccurs="1"> <xs:element name="appender" type="audit-log-appender-refType" minOccurs="0"/> </xs:choice> </xs:complexType> <xs:complexType name="audit-log-appender-refType"> <xs:annotation> <xs:documentation> A reference to an audit-log-appender defined in the audit-log-appenders section </xs:documentation> </xs:annotation> <xs:attribute name="appender" type="xs:string" use="required"/> </xs:complexType> +*jboss-as-jmx (jmx subsystem)*+ References the appenders set up in the audit-log-appenders section. This allows for both shared and separate audit logs for core management operations and jmx operations. <xs:complexType name="subsystem"> <xs:sequence> <xs:element name="expose-resolved-model" type="resolvedModelType" minOccurs="0" maxOccurs="1"/> <xs:element name="expose-expression-model" type="expressionModelType" minOccurs="0" maxOccurs="1"/> <xs:element name="remoting-connector" type="remotingConnectorRefType" minOccurs="0"/> <xs:element name="audit-log" type="audit-logType" minOccurs="0"/> </xs:sequence> </xs:complexType> <xs:complexType name="audit-logType"> <xs:annotation> <xs:documentation> Declaration of management operation audit logging configuration. </xs:documentation> </xs:annotation>  <xs:attribute name="log-read-only" type="xs:boolean" default="false"> <xs:annotation> <xs:documentation> Whether operations that do not modify the configuration or any runtime services should be logged. </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="enabled" type="xs:boolean" default="true"> <xs:annotation> <xs:documentation> Whether audit logging is enabled. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType>  -------------------------------------------------------------- Comment by going to Community [https://community.jboss.org/docs/DOC-18812] Create a new document in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]

11 years, 8 months

1
0
0 / 0

[JBoss AS 7 Development] - Audit Logging Design Notes

by Kabir Khan

Kabir Khan [https://community.jboss.org/people/kabirkhan] modified the document: "Audit Logging Design Notes" To view the document, visit: https://community.jboss.org/docs/DOC-18812 -------------------------------------------------------------- Design notes for work on https://issues.jboss.org/browse/WFLY-456 (formerly https://issues.jboss.org/browse/AS7-444 https://issues.jboss.org/browse/AS7-444). My current development topic branch for this is https://github.com/kabir/wildfly/tree/WFLY-456-audit-log https://github.com/kabir/wildfly/tree/WFLY-456-audit-log (More current than https://github.com/bstansberry/jboss-as/tree/AS7-444 https://github.com/bstansberry/jboss-as/tree/AS7-444, note that these are personal branches; I make no guarantees not to change its commit history.) This branch is based on work previously done by John Bailey. Design notes: 1) Processing location in OperationContext a) when done b) when decision to not proceed is made in OperationContext 2) Log record format: a) date b) read-only? c) boot? d) (if boot) version (as string???) e) rollback? f) userid (TODO get this somehow) g) uuid (for domain ops only, to track across processes) h) isServer? i) primary (domain or server) model hash j) if (!isServer) secondary (host) model hash k) overall hash l) num operations m) operations (one at a time) n) length of a->j (scan from end to last boot during validation; alternative is to write the length first and scan from beginning to last boot) 3) Index record format: a) overall hash 4) Mgmt operations a) truncate (back to last boot) i) don't discard previous; just write under a different file name b) read log (params -- from (default 0); batch-size (default 20; -1 means all)) c) validate log d) config changes 5) Validation: a) compare persisted model hash to current model b) scan back through log to last config-file-modified boot or version-change boot. We stop at version-change boot to avoid spurious validation problems resulting from changes in model construction across versions c) recreate by re-running ops -- validation problems a) need to verify model hash at each stage -- special controller that ignores all runtime ops i) problem -- how to recreate domain ops involving remote slaves that don't exist? ii) problem -- ops with attachments -- attachments won't exist iii) this "special controller" could end up duplicating a lot of logic just for validation b) reads and runtime ops cannot be verified against model; it can only be confirmed that their hash is consistent with subsequent hashes in the log. Tamper resistant as modification would require modifying all subsequent log entries, but not tamper proof as this could be done. 6) Domain mode a) tracking requests from master to slaves apply a uuid to requests -- as a header include uuid in log record b) detecting host.xml config changes at boot problem -- can't detect host.xml config changes at boot, as model changes may be due to domain.xml stuff coming from the master so, independent domain and host logging but, what about non-model affecting ops? log twice? c) domain logging on slaves? only if --backup-dc is set? -- no simpler to just log d) remote-slave-only logging on master? yes, to maintain a complete record of what was done 7) Non-model-affecting ops a) re-calculating the model hash for all such ops is too expensive b) store the hash(es) in the ModelController along with the model c) provide the hash along with the model to OperationContext d) when model is updated recalc hashes 8) Config a) <audit-log> element b) part of <management> section c) resource is /core-service=audit-log d) attributes i) path (NO -- we need to know the location when first logging, before we have processed ops to set it) ii) relative-to (NO -- we need to know the location when first logging, before we have processed ops to set it) iii) log-read-only? iv) daily-rolling??? (hassle; tempting to defer to later release but it's probably necessary immediately) 9) Other issues a) disable logging overhead for dev scenarios i) to disable it during initial boot (until whatever config element that turns it on/off is read) -- maintain log data in memory and only write on last boot op b) parallel boot handlers should not log c) fluctuating model hashes i) if op took the controller lock, that lock ensures proper ordering of model hashes ii) if op does not take controller lock (reads) earlier model hashes can intermix with later -- validation needs to account for this *Suggested configuration* Only relevant elements to audit logging have been included in the following examples. *+jboss-as-config (i.e. standlone.xml and host.xml)+ * This defines a set of audit-log-appenders which are referenced by the audit-log element. Currently encryption/tamper detection is not a requirement so all logs are done in clear text. If encryption/tamper detection later becomes a requirement this could be added by for example an audit-log-formatters section which configures whatever we would like to use for encryption/tamper detection and the file-audit-log-appender and syslog-audit-log-appender could individually be made to reference an audit-log-formatter. <xs:complexType name="domain-managementType"> <xs:annotation> <xs:documentation> Domain-wide default configuration settings for the management of standalone servers and a Host Controller. </xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="security-realms" minOccurs="0"> <xs:complexType> <xs:sequence> <xs:element name="security-realm" type="security-realmType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="outbound-connections" minOccurs="0"> <xs:complexType> <xs:sequence> <xs:element name="ldap" type="ldapType" minOccurs="1" />  </xs:sequence> </xs:complexType> </xs:element> <xs:sequence minOccurs="0"> <xs:element name="audit-log-appenders" type="audit-log-appendersType"/> <xs:element name="audit-log" type="audit-logType"/> </xs:sequence> </xs:sequence> </xs:complexType> <xs:complexType name="audit-log-appendersType"> <xs:annotation> <xs:documentation> Declaration of management operation audit logging appenders. </xs:documentation> </xs:annotation> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element name="file-appender" type="file-audit-log-appenderType"/> <xs:element name="syslog-appender" type="syslog-audit-log-appenderType"/> </xs:choice> </xs:complexType> <xs:complexType name="file-audit-log-appenderType"> <xs:annotation> <xs:documentation> Configuration of a simple file appender for the audit log. This writes to a local file without any encryption or tamper detection applied to the file. </xs:documentation> </xs:annotation> <xs:attribute name="name" type="xs:string" use="required"> <xs:annotation> <xs:documentation> The name of the appender </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="path" type="xs:string" use="required"> <xs:annotation> <xs:documentation> The path of the audit log. </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="relative-to" use="optional" type="xs:string"> <xs:annotation> <xs:documentation> The name of another previously named path, or of one of the standard paths provided by the system. If 'relative-to' is provided, the value of the 'path' attribute is treated as relative to the path specified by this attribute. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> <xs:complexType name="syslog-audit-log-appenderType"> <xs:annotation> <xs:documentation> Configuration of a syslog file appender for the audit log. This writes to a local file without any encryption or tamper detection applied to the file. </xs:documentation> </xs:annotation> <xs:sequence> <xs:attribute name="name" type="xs:string" use="required"> <xs:annotation> <xs:documentation> The name of the appender </xs:documentation> </xs:annotation> </xs:attribute> <xs:element name="truststore" type="keyStoreType" minOccurs="0"> <xs:annotation> <xs:documentation> TODO - can we define more than one truststore in java? The normal way seems to be to set -Djavax.net.ssl.trustStore, and there is already one in authenticationType. It looks like there might be a way, although we would need to extend syslog4j to be able to use SSLContext. Configuration of a keystore to use to create a trust manager to verify clients. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="client-certificate-authentication" type="keyStoreType" minOccurs="0"> <xs:annotation> <xs:documentation> TODO - Look into if it is possible to extend syslog4j to use SSLContext. Configuration of a keystore containing a client certificate and private key, e.g. in PKCS12 format. </xs:documentation> </xs:annotation> </xs:element>  </xs:sequence> <xs:attribute name="protocol" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="udp"/> <xs:enumeration value="tcp"/> <xs:enumeration value="tls"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="host" default="localhost"/> <xs:attribute name="port" default="514"/> </xs:complexType> <xs:complexType name="audit-logType"> <xs:annotation> <xs:documentation> Declaration of management operation audit logging configuration coming from the model controller core. </xs:documentation> </xs:annotation> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="appenders" type="audit-log-appenders-refType" minOccurs="0"/> </xs:choice> <xs:attribute name="log-read-only" type="xs:boolean" default="false"> <xs:annotation> <xs:documentation> Whether operations that do not modify the configuration or any runtime services should be logged. </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="enabled" type="xs:boolean" default="true"> <xs:annotation> <xs:documentation> Whether audit logging is enabled. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> <xs:complexType name="audit-log-appenders-refType"> <xs:annotation> <xs:documentation> References to audit-log-appenders defined in the audit-log-appenders section </xs:documentation> </xs:annotation> <xs:choice minOccurs="1"> <xs:element name="appender" type="audit-log-appender-refType" minOccurs="0"/> </xs:choice> </xs:complexType> <xs:complexType name="audit-log-appender-refType"> <xs:annotation> <xs:documentation> A reference to an audit-log-appender defined in the audit-log-appenders section </xs:documentation> </xs:annotation> <xs:attribute name="appender" type="xs:string" use="required"/> </xs:complexType> +*jboss-as-jmx (jmx subsystem)*+ References the appenders set up in the audit-log-appenders section. This allows for both shared and separate audit logs for core management operations and jmx operations. <xs:complexType name="subsystem"> <xs:sequence> <xs:element name="expose-resolved-model" type="resolvedModelType" minOccurs="0" maxOccurs="1"/> <xs:element name="expose-expression-model" type="expressionModelType" minOccurs="0" maxOccurs="1"/> <xs:element name="remoting-connector" type="remotingConnectorRefType" minOccurs="0"/> <xs:element name="audit-log" type="audit-logType" minOccurs="0"/> </xs:sequence> </xs:complexType> <xs:complexType name="audit-logType"> <xs:annotation> <xs:documentation> Declaration of management operation audit logging configuration. </xs:documentation> </xs:annotation> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="appenders" type="audit-log-appenders-refType" minOccurs="0"/> </xs:choice> <xs:attribute name="log-read-only" type="xs:boolean" default="false"> <xs:annotation> <xs:documentation> Whether operations that do not modify the configuration or any runtime services should be logged. </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="enabled" type="xs:boolean" default="true"> <xs:annotation> <xs:documentation> Whether audit logging is enabled. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> <xs:complexType name="audit-log-appenders-refType"> <xs:annotation> <xs:documentation> References to audit-log-appenders defined in the audit-log-appenders section </xs:documentation> </xs:annotation> <xs:choice minOccurs="1"> <xs:element name="appender" type="audit-log-appender-refType" minOccurs="0"/> </xs:choice> </xs:complexType> <xs:complexType name="audit-log-appender-refType"> <xs:annotation> <xs:documentation> A reference to an audit-log-appender defined in the audit-log-appenders section </xs:documentation> </xs:annotation> <xs:attribute name="appender" type="xs:string" use="required"/> </xs:complexType> -------------------------------------------------------------- Comment by going to Community [https://community.jboss.org/docs/DOC-18812] Create a new document in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]

11 years, 8 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-dev-forums May 2013