[jboss-jira] [JBoss JIRA] (SECURITY-978) Remove DEBUG message in server logs while calling isCallerInRole(String roleName) method

Sat Sep 30 08:57:00 EDT 2017

    [ https://issues.jboss.org/browse/SECURITY-978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13470399#comment-13470399 ] 

Ilia Vassilev commented on SECURITY-978:
----------------------------------------

PR: https://github.com/picketbox/picketbox/pull/72

> Remove DEBUG message in server logs while calling isCallerInRole(String roleName) method
> ----------------------------------------------------------------------------------------
>
>                 Key: SECURITY-978
>                 URL: https://issues.jboss.org/browse/SECURITY-978
>             Project: PicketBox 
>          Issue Type: Bug
>         Environment: Red Hat JBoss Enterprise Application Platform 7.0.x
>            Reporter: Ilia Vassilev
>            Assignee: Ilia Vassilev
>
> While explicitly checking the user roles in the ejb code using context.isCallerInRole(String roleName) and when it return false below exception message got printed at the DEBUG level in server.log file.
> {code:java}
> 2017-09-13 21:10:24,549 DEBUG [org.jboss.security] sessionhash="b34cb4c5c50e3eefbe4f924ee42fa658" requestid="33015X1505317224509" username="adm2.lg" src_ip="127.0.0.1" PBOX00326: isCallerInRole processing failed: org.jboss.security.authorization.AuthorizationException: PBOX00017: Acces denied: authorization failed 
>     at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:274)
>     at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71)
>     at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:143)
>     at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438)
>     at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115)
>     at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:187)
>     at org.jboss.as.security.service.SimpleSecurityManager.isCallerInRole(SimpleSecurityManager.java:229)
>     at org.jboss.as.ejb3.component.EJBComponent.isCallerInRole(EJBComponent.java:400)
>     at org.jboss.as.ejb3.context.EJBContextImpl.isCallerInRole(EJBContextImpl.java:115)
> {code}
>  The exception seems to be printed in DEBUG in the below line 
> {code:java}
>  https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java#L193
> {code}
> This should not be logged as an exception message may be just a line in DEBUG logs should be enough.


--
This message was sent by Atlassian JIRA
(v7.2.3#72005)