Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log IP / User Agent for invalid ApiKeys and JWTs #477

Open
valentijnscholten opened this issue Mar 8, 2023 · 0 comments
Open

Log IP / User Agent for invalid ApiKeys and JWTs #477

valentijnscholten opened this issue Mar 8, 2023 · 0 comments

Comments

@valentijnscholten
Copy link

Currently when an invalid ApiKey or JWT is provided, only the string Invalid API key asserted or Invalid JWT asserted is logged.

final ApiKeyAuthenticationService apiKeyAuthService = new ApiKeyAuthenticationService(request);
if (apiKeyAuthService.isSpecified()) {
try {
principal = apiKeyAuthService.authenticate();
} catch (AuthenticationException e) {
LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Invalid API key asserted");
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
return;
}
}
final JwtAuthenticationService jwtAuthService = new JwtAuthenticationService(request);
if (jwtAuthService.isSpecified()) {
try {
principal = jwtAuthService.authenticate();
} catch (AuthenticationException e) {
LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Invalid JWT asserted");
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
return;
}
}

Suggested change is to log also IP and User Agent, similar to other security events being logged.

I tried a quick PR to do the as in AlpineResource but not sure if injecting a HttpServletRequest here is appropiate. Maybe a global logSecurityEvent utility method should be made supporting all scenario's.

/**
* Logs a security event to the security audit log. Expects one of:
* {@link SecurityMarkers#SECURITY_AUDIT}
* {@link SecurityMarkers#SECURITY_SUCCESS}
* {@link SecurityMarkers#SECURITY_FAILURE}
* @param logger the logger to use
* @param marker the marker to add to the event
* @param message the initial content of the event
* @since 1.0.0
*/
protected void logSecurityEvent(final Logger logger, final Marker marker, final String message) {
if (!(SecurityMarkers.SECURITY_AUDIT == marker ||
SecurityMarkers.SECURITY_SUCCESS == marker ||
SecurityMarkers.SECURITY_FAILURE == marker)) {
return;
}
final StringBuilder sb = new StringBuilder();
sb.append(message).append(" ");
if (getPrincipal() != null) {
sb.append("by: ").append(getPrincipal().getName()).append(" ");
}
sb.append("/ IP Address: ").append(getRemoteAddress()).append(" ");
sb.append("/ User Agent: ").append(getUserAgent());
logger.info(marker, sb.toString());
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants