[jboss-cvs] JBossAS SVN: r101059 - in projects/docs/enterprise/5.1/JBoss_Security_Chapter: en-US and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Feb 17 01:01:22 EST 2010
Author: jaredmorgs
Date: 2010-02-17 01:01:22 -0500 (Wed, 17 Feb 2010)
New Revision: 101059
Added:
projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_AUDIT_Appender.xml_sample
projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_Provider_Category.xml_sample
Modified:
projects/docs/enterprise/5.1/JBoss_Security_Chapter/
projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/chap-Security_Configuration_And_Architecture.xml
Log:
Updated Security Chapter with Audit Logging for EJBs procedure.
Property changes on: projects/docs/enterprise/5.1/JBoss_Security_Chapter
___________________________________________________________________
Name: svn:ignore
+ tmp
Modified: projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/chap-Security_Configuration_And_Architecture.xml
===================================================================
--- projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/chap-Security_Configuration_And_Architecture.xml 2010-02-17 02:56:54 UTC (rev 101058)
+++ projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/chap-Security_Configuration_And_Architecture.xml 2010-02-17 06:01:22 UTC (rev 101059)
@@ -1307,6 +1307,73 @@
<programlisting role="JAVA" language="Java"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="extras/security-policies-WebJACCPolicyModuleDelegate.java" parse="text"/></programlisting>
</example>
</section>
+ <section id="sect-Configure_Security_Auditing">
+ <title>Configure Security Event Auditing</title>
+ <para>Certain government organizations mandate auditing in enterprise applications to ensure the software components of an implementation are traceable, and operating within their design parameters. Additionally, variants of government regulations and standards require audit controls in addition to standard application auditing.</para>
+ <para>System administrators can enable security event auditing to constantly monitor the operation of the security domain, and deployed Web and EJB applications. </para>
+ <important>
+ <title>Event Auditing, and Server Performance</title>
+ <para>Security event auditing may introduce a performance impact on implementations that manage high event volumes. Auditing is deactivated by default, and should be configured to be available on-demand.</para>
+ </important>
+ <para>Activating security event auditing differs between Web and EJB components. <xref linkend="proc-Enabling_Sec_Audit_Feature"/> describes the minimum steps to enable the audit service for EJBs in your implementation . <xref linkend="proc-Enable_Sec_Audit_Web"/> describes how to enable security event auditing for Web containers.</para>
+ <procedure id="proc-Enabling_Sec_Audit_Feature">
+ <title>Enable the security audit feature</title>
+ <step>
+ <title>Open the log4j configuration file</title>
+ <para>Navigate to <filename><replaceable>[install_directory]</replaceable>/jboss-as/server/all/conf/</filename></para>
+ <para>Open the <filename>jboss-log4j.xml</filename> file using a text editor. </para>
+ </step>
+ <step>
+ <title>Uncomment the security audit category</title>
+ <para>By default, the Security Audit Provider category definition in the <filename>jboss-log4j.xml</filename> file is commented out. Uncomment the category definition shown in <xref linkend="exam-log4j_Security_Audit_Provider_Category"/>.</para>
+ <example id="exam-log4j_Security_Audit_Provider_Category">
+ <title>log4j Security Audit Provider category</title>
+ <programlisting role="XML" language="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="extras/jboss-log4j-Security_Audit_Provider_Category.xml_sample" parse="text"/></programlisting>
+ </example>
+ </step>
+ <step>
+ <title>Uncomment the audit appender</title>
+ <para>By default, the AUDIT appender definition in the <filename>jboss-log4j.xml</filename> file is commented out. Uncomment the appender definition shown in <xref linkend="exam-log4j_Security_Audit_Provider_Category"/>.</para>
+ <example id="exam-log4j_Security_Audit_AUDIT_Appender">
+ <title>log4j Security Audit Provider category</title>
+ <programlisting role="XML" language="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="extras/jboss-log4j-Security_Audit_AUDIT_Appender.xml_sample" parse="text"/></programlisting>
+ </example>
+ </step>
+ <step>
+ <title>Save and restart server </title>
+ <para>You have now activated the auditing service for your implementation, as configured in the <filename>jboss-log4j.xml</filename> file.</para>
+ <para>Restart the server to ensure the new security policy takes effect.</para>
+ </step>
+ <step>
+ <title>Verify security auditing is functioning correctly</title>
+ <para>Once the audit service is configured and deployed, audit log entries will verify the audit service and EJB invocation success.</para>
+ <para>The <filename>audit.log</filename> file is located in <filename>[install_directory]/jboss-as/server/<replaceable>$PROFILES</replaceable>/log/</filename> directory. </para>
+ <para>A successful EJB invocation would look similar to the following <filename>audit.log</filename> output.</para>
+ <example>
+ <title>Successful EJB Invocation log entry</title>
+ <programlisting>2008-12-05 16:08:26,719 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2:) [Success]policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 76ed4518; Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 76ed4518}:method=public abstract org.jboss.test.security.interfaces.RunAsServiceRemote org.jboss.test.security.interfaces.RunAsServiceRemoteHome.create() throws java.rmi.RemoteException,javax.ejb.CreateException:ejbMethodInterface=Home:ejbName=RunAs:ejbPrincipal=jduke:MethodRoles=Roles(identitySubstitutionCaller,):securityRoleReferences=null:callerSubject=Subject:
+ Principal: [roles=[identitySubstitutionCaller, extraRunAsRole],principal=runAsUser]
+ Principal: Roles(members:extraRunAsRole,identitySubstitutionCaller)
+:callerRunAs=[roles=[identitySubstitutionCaller, extraRunAsRole],principal=runAsUser]:callerRunAs=[roles=[identitySubstitutionCaller, extraRunAsRole],principal=runAsUser]:ejbRestrictionEnforcement=false:ejbVersion=null];Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;</programlisting>
+ </example>
+ <para>An unsuccessful EJB invocation would look similar to the following <filename>audit.log</filename> output.</para>
+ <example>
+ <title>Unsuccessful EJB Invocation log entry</title>
+ <programlisting>[Error]policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 76ed4518;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 76ed4518}:method=public java.security.Principal org.jboss.test.security.ejb3.SimpleStatelessSessionBean.invokeUnavailableMethod():ejbMethodInterface=Remote:ejbName=SimpleStatelessSessionBean:ejbPrincipal=UserA:MethodRoles=Roles(<NOBODY>,):securityRoleReferences=null:callerSubject=Subject:
+ Principal: UserA
+ Principal: Roles(members:RegularUser,Administrator)
+:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;</programlisting>
+ </example>
+ </step>
+ </procedure>
+ <procedure id="proc-Enable_Sec_Audit_Web">
+ <title>Enable security auditing for Web containers</title>
+ <step>
+ <title/>
+ <para/>
+ </step>
+ </procedure>
+ </section>
<section id="Defining_Security_Domains-Loading_Security_Domains">
<title>Loading Security Domains</title>
<para>
Added: projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_AUDIT_Appender.xml_sample
===================================================================
--- projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_AUDIT_Appender.xml_sample (rev 0)
+++ projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_AUDIT_Appender.xml_sample 2010-02-17 06:01:22 UTC (rev 101059)
@@ -0,0 +1,33 @@
+
+...
+<!-- Emit events as JMX notifications
+<appender name="JMX" class="org.jboss.monitor.services.JMXNotificationAppender">
+ <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+ <param name="Threshold" value="WARN"/>
+ <param name="ObjectName" value="jboss.system:service=Logging,type=JMXNotificationAppender"/>
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern" value="%d %-5p [%c] %m"/>
+ </layout>
+</appender>
+-->
+
+<!-- Security AUDIT Appender -->
+<appender name="AUDIT" class="org.jboss.logging.appender.DailyRollingFileAppender">
+ <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+ <param name="File" value="${jboss.server.log.dir}/audit.log"/>
+ <param name="Append" value="true"/>
+ <param name="DatePattern" value="'.'yyyy-MM-dd"/>
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern" value="%d %-5p [%c] (%t:%x) %m%n"/>
+ </layout>
+</appender>
+
+ <!-- ================ -->
+ <!-- Limit categories -->
+ <!-- ================ -->
+
+<!-- Limit the org.apache category to INFO as its DEBUG is verbose -->
+<category name="org.apache">
+ <priority value="INFO"/>
+</category>
+...
Added: projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_Provider_Category.xml_sample
===================================================================
--- projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_Provider_Category.xml_sample (rev 0)
+++ projects/docs/enterprise/5.1/JBoss_Security_Chapter/en-US/extras/jboss-log4j-Security_Audit_Provider_Category.xml_sample 2010-02-17 06:01:22 UTC (rev 101059)
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- Limit the verbose MC4J EMS (lib used by admin-console) categories -->
+<category name="org.mc4j.ems">
+ <priority value="WARN"/>
+</category>
+
+<!-- Show the evolution of the DataSource pool in the logs [inUse/Available/Max]
+<category name="org.jboss.resource.connectionmanager.JBossManagedConnectionPool">
+ <priority value="TRACE"/>
+</category>
+ -->
+
+<!-- Category specifically for Security Audit Provider -->
+<category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false">
+<priority value="TRACE"/>
+ <appender-ref ref="AUDIT"/>
+</category>
+
+
+<!-- Limit the org.jboss.serial (jboss-serialization) to INFO as its DEBUG is verbose -->
+<category name="org.jboss.serial">
+ <priority value="INFO"/>
+</category>
+
More information about the jboss-cvs-commits
mailing list