[jboss-jira] [JBoss JIRA] (SECURITY-978) Remove DEBUG message in server logs while calling isCallerInRole(String roleName) method

Friday, 29 September 2017

     [
https://issues.jboss.org/browse/SECURITY-978?page=com.atlassian.jira.plug...
]

Ilia Vassilev moved JBEAP-13291 to SECURITY-978:
------------------------------------------------

     Project: PicketBox   (was: JBoss Enterprise Application Platform)
         Key: SECURITY-978  (was: JBEAP-13291)
    Workflow: classic default workflow  (was: CDW with loose statuses v1)

...
 Remove DEBUG message in server logs while calling
isCallerInRole(String roleName) method
 ----------------------------------------------------------------------------------------

                 Key: SECURITY-978
                 URL: https://issues.jboss.org/browse/SECURITY-978
             Project: PicketBox 
          Issue Type: Bug
         Environment: Red Hat JBoss Enterprise Application Platform 7.0.x
            Reporter: Ilia Vassilev
            Assignee: Ilia Vassilev

 While explicitly checking the user roles in the ejb code using
context.isCallerInRole(String roleName) and when it return false below exception message
got printed at the DEBUG level in server.log file.
 {code:java}
 2017-09-13 21:10:24,549 DEBUG [org.jboss.security]
sessionhash="b34cb4c5c50e3eefbe4f924ee42fa658"
requestid="33015X1505317224509" username="adm2.lg"
src_ip="127.0.0.1" PBOX00326: isCallerInRole processing failed:
org.jboss.security.authorization.AuthorizationException: PBOX00017: Acces denied:
authorization failed 
     at
org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:274)
     at
org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71)
     at
org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147)
     at java.security.AccessController.doPrivileged(Native Method)
     at
org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:143)
     at
org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438)
     at
org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115)
     at
org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:187)
     at
org.jboss.as.security.service.SimpleSecurityManager.isCallerInRole(SimpleSecurityManager.java:229)
     at org.jboss.as.ejb3.component.EJBComponent.isCallerInRole(EJBComponent.java:400)
     at org.jboss.as.ejb3.context.EJBContextImpl.isCallerInRole(EJBContextImpl.java:115)
 {code}
  The exception seems to be printed in DEBUG in the below line 
 {code:java}

https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbos...
 {code}
 This should not be logged as an exception message may be just a line in DEBUG logs should
be enough. 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] (SECURITY-978) Remove DEBUG message in server logs while calling isCallerInRole(String roleName) method