Access Logging

Access to protected services can be logged. This option is disabled by default, but can be activated by adjusting the configuration. It is possible to configure logging for each supported service type separately. There are four types of LoggingHandlers that can be used in any combination.

LoggingHandler

GetRequestLoggingHandler

This handler logs parameter values from an HTTP GET request to the protected service. As a result, each of the parameter key and value is stored. For keys that can not be resolved, the value is stored, which is defined as valueNotFoundString.

<Entry>
    <Object class="de.conterra.suite.security.interceptor.logging.handler.GetRequestLoggingHandler">
        <Property name="valueNotFoundString" value="[request_parameter_not_found]" />
        <Property name="parameterList">
            <List>
                <Entry value="request" />
                <Entry value="service" />
                <Entry value="version" />
            </List>
        </Property>
    </Object>
</Entry>

ContentLoggingHandler

This handler logs the content of an HTTP POST request. The content is defined using XPath expressions. Initially it has to be configured on which mimeTypes the handler reacts. Then for the Property namespaces the namespaces have to be defined which are used in the XPath expressions. Using a parameterMap XPath expressions can then be defined that point to specific content. These contents are stored with the distinguished name as the key.

<Entry>
    <Object class="de.conterra.suite.security.interceptor.logging.handler.ContentLoggingHandler">
        <Property name="mimeTypes">
            <List>
                <Entry value="text/xml" />
                <Entry value="application/xml" />
            </List>
        </Property>
        <Property name="valueNotFoundString" value="[no_xpath_value_found]" />
        <Property name="namespaces">
            <Map>
                <Entry name="gml" value="http://www.opengis.net/gml" />
                <Entry name="wfs" value="http://www.opengis.net/wfs" />
                <Entry name="ogc" value="http://www.opengis.net/ogc" />
            </Map>
        </Property>
        <Property name="parameterMap">
            <Map>
                <Entry name="PropertyName" value="/wfs:GetFeature/wfs:Query/ogc:PropertyName/text()" />
                <Entry name="outputFormat" value="/wfs:GetFeature/@outputFormat" />
                <Entry name="BoundingBox_Coordinates" value="/wfs:GetFeature/wfs:Query/ogc:Filter/ogc:BBOX/gml:Box/gml:coordinates/text()" />
            </Map>
        </Property>
    </Object>
</Entry>

HeaderAttributesLoggingHandler

Using this handler, specific http header attributes can be logged. They are defined in the property attributeList. The attribute names are stored as key together with the corresponding values.

<Entry>
    <Object class="de.conterra.suite.security.interceptor.logging.handler.HeaderAttributesLoggingHandler">
        <Property name="valueNotFoundString" value="[http_header_attribute_not_found]" />
        <Property name="attributeList">
            <List>
                <Entry value="X-Forwarded-For" />
                <Entry value="Accept-Charset" />
                <Entry value="Accept-Encoding" />
                <Entry value="Accept-Language" />
                <Entry value="User-Agent" />
                <Entry value="Host" />
            </List>
        </Property>
    </Object>
</Entry>

SpecialParameterLoggingHandler

This parameter logs values for predefined keys. The following keys are available:

username

Logs the name of the user.

timestamp

Logs the timestamp of the access.

request

Logs the complete request (no matter if HTTP GET or POST).

base_url

Logs the WSS base URL.

path_info

Logs path information, if available.

secured_service_url

Logs the URL of the protected service.

<Entry>
    <Object class="de.conterra.suite.security.interceptor.logging.handler.SpecialParameterLoggingHandler">
        <Property name="valueNotFoundString" value="[value_not_found]" />
        <Property name="parameterList">
            <List>
                <Entry value="timestamp" />
                <Entry value="username" />
                <Entry value="request" />
                <Entry value="base_url" />
                <Entry value="path_info" />
                <Entry value="secured_service_url" />
            </List>
        </Property>
    </Object>
</Entry>

LoggerChain

The individual handlers are included in a LoggerChain, which is processed in a separate interceptor. The order of interceptors can influence the logging results: If the logging interceptor is configured as first interceptor in the chain, the original requests are logged. If it is configured as last interceptor in the chain, it is possible that the request has already been modified. Then the modified request is logged.

<Interceptor
class="de.conterra.suite.security.interceptor.logging.LoggingInterceptor">
    <Property name="inputLoggerChainList">
        <List>
            <Entry>
                <Object class="de.conterra.suite.security.interceptor.logging.handler.LoggerChain">
                    <Property name="loggingHandlerList">
                        <List>
                            <Entry>
                                <Object class="de.conterra...handler.SpecialParameterLoggingHandler">
                                    ...
                                </Object>
                            </Entry>
                            <Entry>
                                ...
                            </Entry>
                        </List>
                    </Property>
                </Object>
            </Entry>
        </List>
    </Property>
</Interceptor>

The logging interceptor is configured in the corresponding module files which shall be logged. They are in the folder [SECMAN_INSTALL]/webapp/wss/WEB-INF/classes/enforcementpoint-modules. Sample configurations can be found in the modules for WMS and ArcGIS Server.

The log results are stored in the Tomcat standard log folder in the file ct-security-<version>-wss-access.log. For each request a new line is added to this file. Folder and filename can be changed in the file [INSTALL_FOLDER]/webapp/wss/WEB-INF/classes/log4j.xml for the appender ACCESS_LOGFILE. Classes referenced inside the log4j.xml for access logging are required to be available inside the folder [INSTALL_FOLDER]/webapp/wss/WEB-INF/classes/access-log-lib inside JAR files.

The results are stored in a CSV file. The layout of this file can be changed by configuration.

<layout class="de.conterra.suite.security.interceptor.logging.CSVLogInterceptorLayout">
    <param name="ShowKeys" value="true" />
    <param name="KeyValueSeparator" value="=" />
    <param name="ValueSeparator" value=";" />
    <param name="EntrySeparator" value="," />
    <param name="Prefix" value="Logging-Interceptor: " />
    <param name="Suffix" value=" - End of Entry" />
</layout>

The shown configuration leads to the following entry in the log file:

Logging-Interceptor: timestamp=2010-08-31 09:00:57.057,username=user1,base_url=http://localhost:8080/wss/service/my_wfs/httpauth,
secured_service_url=http://localhost:8080/mywfs/DATA,X-Forwarded-For=127.0.0.1,Accept-Encoding=gzip,
Accept-Language=\[http_header_attribute_not_found\],User-Agent=uDig 1.2.0 (http://udig.refractions.net) Java/1.6.0_17,
Host=localhost:8080,outputFormat=GML2,BoundingBox_Coordinates=-202.9635499207607,-91.71156893819334 202.9635499207607,91.71156893819334,
PropertyName=GEOM - End of Entry