Try OpenEdge Now
skip to main content
New Information
Progress Application Server for OpenEdge : Troubleshoot problems : Enhanced Mapped Diagnostic Content Logging in PAS for OpenEdge : Configure Spring Authentication and Authorization Audit Logs for MDC
 
Configure Spring Authentication and Authorization Audit Logs for MDC
There are two Spring audit logs: Spring Authentication and Spring Authorization. The purpose for these logs is to independently capture authentication failures and successes, as well as URL authorization failures and successes. They are independent from the Spring runtime process logging that is found with the ABL Session Manager. They can be turned on without having to record Spring runtime logging. They are normally turned off and must be explicitly turned on.
Each deployed ABL application has its own set of authentication and authorization audit logs.
To turn on Spring Authentication and Authorization MDC logging, follow these instructions:
1. Verify that each target application has the following entry in the webapps/<appname>/WEB-INF/logging.xml file:
<include optional="true" file="${catalina.base}/conf/logging-security.xml" />
2. Locate the conf/logging-security.xml for your target instance.
3. Edit the logging-security.xml file to turn Spring Security client authentication and URL authorization events on.
The default event logging levels are OFF, which means no logs files are created.
The properties are displayed below with emphasis added on the value that needs to be edited:
<property scope="system" name="oeLogging.audit.authn.level" value="OFF" />
<property scope="system" name="oeLogging.audit.authz.level" value="OFF" />
The valid values are written in the following table:
Value
Description
OFF
No security event logging will be recorded, nor will a log file be created. This is the default value.
ERROR
Record failure information only.
INFO
Record both failure and success information.
4. After the Spring Authentication and Authorization logs are set to ERROR or INFO, set the MDC field values as needed.
Locate the authn (authentication) and authz (authorization) pattern elements in the logging.xml. These are two independent logging categories. Find the authn logging pattern, which looks similar to this:
<pattern>%d{HH:mm:ss.SSS}/%r [%thread] %-5level %logger{36} - %msg%n</pattern>
5. Edit the values to incorporate MDC field names, as in the following example:
<pattern> %d{HH:mm:ss.SSS}/%r ${contextName} %X{OEReq.requestId} %X{OEReq.remoteHost} %X{OESec.eventStatus} %X{OESec.loginPrincipal} - %X{OESec.failReason} - %X{OESec.failDetails}%n
</pattern>
6. Edit the authz pattern in a similar manner.
The support MDC fields for each logging pattern are described below.
Supported MDC field names for Spring Authentication and Authorization logs
The Spring Authentication and Spring Authorization audit logs monitor for different events.
Spring Authentication logging fields
The list of critical information fields related to Spring Security Authentication login pass/fail events includes:
MDC field name
Logging Field Description
ABL Application Log Syntax1
OESec.eventType
The type of Spring Security process being reported: "Authentication"
%X{OESec.evnetType}
OESec.eventStatus
The results of the client authentication process: { "success" | "failure" }
%X{OESec.eventStatus}
OESec.loginPrincipal
The client asserted account name for authentication
%X{OESec.loginPrincipal}
OESec.failReason
A simple string holding the reason for the authentication failure
%X{OESec.failReason}
OESec.failDetails
A more verbose string hold additional failure information
%X{OESec.failDetails}
OEReq.xxxxxx
The value of the HTTP Request.
%X{OEReq.xxxxxx}
OEReqHead.xxxxxx
The value of the HTTP Request Header.
%X{OEReqHead.xxxxxx}
Note: For more information about OEReq and OEReqHead MDC field names, see the Supported HTTP Request MDC Field Names table in the Configure ABL Spring and Session Manager Logs for MDC topic.
Spring Authorization logging fields
The list of critical information fields related to Spring Security URL authorization includes:
MDC Field Name
Logging Field Description
ABL Application Log Syntax1
OESec.eventType
The type of Spring Security process being reported: "Authorization"
%X{OESec.eventType}
OESec.eventStatus
The results of the client authentication process: { "granted" | "denied" }
%X{OESec.eventStatus}
OESec.authzUserId
The authenticated client's account name whose ROLEs are tested for URL access
%X{OESec.authzUserId}
OESec.failObj
The URL resource name being authorized
%X{OESec.failObj}
OESec.failAttrs
The authenticated client's account attributes used for authorizing URL access
%X{OESec.failAttrs}
OEReq.xxxxxx
The value of the HTTP Request.
%X{OEReq.xxxxxx}
OEReqHead.xxxxxx
The value of the HTTP Request Header.
%X{OEReqHead.xxxxxx}
Note: For more information about OEReq and OEReqHead MDC field names, see the Supported HTTP Request MDC Field Names table in the Configure ABL Spring and Session Manager Logs for MDC topic.
Note: HTTP Request header fields are also supported for each audit log. For more information, see Configure MDC access to HTTP Request Headers.