Security Auditing in JBoss Application Server v5.x

While security event auditing in the various containers of a Java EE application server can help administrators and developers keep a tab on the server, both in production and development, it can also help organizations meet legal regulations. Current and future government regulations in multiple countries around the world mandate audit regulations for operation of enterprise applications. Variants of regulations/standards such as PCI-DSS, SOX etc require appropriate controls as well as audit in enterprises.

The security audit service in JBoss AS 5 provides audit capabilities for security events such as authentication and authorization in the web and EJB layers. The default audit provider in JBossAS5 is the Log4J audit provider. You do not need to explicitly define it for a security domain.  The administrator/developer needs to enable security audit for the EJB and web applications. The audit is not enabled by default because it can have a performance impact. It should be on demand or on a needed basis.

Enabling the audit service

To enable the audit feature, you need to uncomment the security audit 'category' in jboss-log4j.xml in the 'conf' directory.

<!-- Category specifically for Security Audit Provider -->
   <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false">
     <priority value="TRACE"/>
     <appender-ref ref="AUDIT"/>
   </category>

and the 'AUDIT' appender.

<!-- Security AUDIT Appender
   -->
   <appender name="AUDIT" class="org.jboss.logging.appender.DailyRollingFileAppender">
      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
      <param name="File" value="${jboss.server.log.dir}/audit.log"/>
      <param name="Append" value="true"/>
      <param name="DatePattern" value="'.'yyyy-MM-dd"/>
      <layout class="org.apache.log4j.PatternLayout">
         <param name="ConversionPattern" value="%d %-5p [%c] (%t:%x) %m%n"/>
      </layout>
   </appender>

Enabling Audit for EJB Container

With enabling the audit service, the EJB audit is enabled. You should see the audit logs in a file called as 'audit.log' in the log directory of your server configuration.

 In operation, the event entry for a successful EJB invocation would look like:

2008-12-05 16:08:26,719 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2:) [Success]policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518}:method=public abstract org.jboss.test.security.interfaces.RunAsServiceRemote org.jboss.test.security.interfaces.RunAsServiceRemoteHome.create() throws java.rmi.RemoteException,javax.ejb.CreateException:ejbMethodInterface=Home:ejbName=RunAs:ejbPrincipal=jduke:MethodRoles=Roles(identitySubstitutionCaller,):securityRoleReferences=null:callerSubject=Subject:
        Principal: [roles=[identitySubstitutionCaller, extraRunAsRole],principal=runAsUser]
        Principal: Roles(members:extraRunAsRole,identitySubstitutionCaller)
:callerRunAs=[roles=[identitySubstitutionCaller, extraRunAsRole],principal=runAsUser]:callerRunAs=[roles=[identitySubstitutionCaller, extraRunAsRole],principal=runAsUser]:ejbRestrictionEnforcement=false:ejbVersion=null];Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;

An unsuccessful EJB invocation would look like:

[Error]policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518}:method=public java.security.Principal org.jboss.test.security.ejb3.SimpleStatelessSessionBean.invokeUnavailableMethod():ejbMethodInterface=Remote:ejbName=SimpleStatelessSessionBean:ejbPrincipal=UserA:MethodRoles=Roles(<NOBODY>,):securityRoleReferences=null:callerSubject=Subject:
        Principal: UserA
        Principal: Roles(members:RegularUser,Administrator)
:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;

Enabling Audit for the Web Container

For web applications, you will need to perform additional steps as follows:

1) In the deploy/jbossweb.sar/server.xml file, add an attribute on the realm element called as enableAudit="true"
 

<Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
            allRolesMode="authOnly"
            enableAudit="true"
            />

2) The auditing levels for the web applications need to be specified via a system property (either in the run.bat/run.conf scripts or the deploy/properties-service.xml)

 The system property is:   -Dorg.jboss.security.web.audit=headers,cookies,parameters

The configuration for this system property is
   /** System Property setting to configure the web audit
    * off = turn it off
    * headers = audit the headers
    * cookies = audit the cookie
    * parameters = audit the parameters
    * attributes = audit the attributes
    * headers,cookies,parameters = audit the headers,cookie and parameters
    * headers,cookies = audit the headers and cookies
    * */

Audit entries for web invocations should be present in the audit.log in the logs directory as follows:

2008-12-05 16:08:38,997 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-17:) [Success]policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518;Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518,securityConstraints=[Lorg.apache.catalina.deploy.SecurityConstraint;@6feeae6, resourcePermissionCheck=true},canonicalRequestURI=/restricted/get-only/x,request=[/web-constraints:cookies=null:headers=user-agent=Jakarta Commons-HttpClient/3.0,authorization=host=localhost:8080,][parameters=],CodeSource=null];securityConstraints=SecurityConstraint[RestrictedAccess - Get Only];Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;resourcePermissionCheck=true;Exception:=;

2008-12-05 16:08:41,561 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-4:) [Failure]principal=anil;Source=org.jboss.web.tomcat.security.JBossWebRealm;request=[/jaspi-web-basic:cookies=null:headers=user-agent=Jakarta Commons-HttpClient/3.0,authorization=host=localhost:8080,][parameters=][attributes=];2008-12-05 16:07:30,129 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (WorkerThread#1[127.0.0.1:55055]:) 

You can enable the RequestDumperValve and AccessLogValve in server.xml to get further information on the requests coming into the server as well as the standard web server access log.

As you can see from the audit log, that both successful and failed authentication/authorization events for web and ejb applications are logged.

Q: Why are there so many additional controls in configuration for the audit of web layer?

A. Since logging can reveal sensitive information, the administrator needs more control on what aspects of the web request get logged.

Q. What should I do if I want the audit events to be logged in a different store such as a database?

A. Please have a look at the Log4J appenders.  You can use database, emails, syslog etc for the log entries.

Class Diagram

The following is the UML Class Diagram of the audit framework.

If you are interested in writing your own audit provider, you can subclass the AbstractAuditProvider. For configuration, you will use the <audit>element of the security domain configuration of JBoss AS 5.x

Future Work

Currently the auditing service logs events mainly for the web and EJB layers.  It needs to be extended to other containers in the JBoss Application Server such as messaging, JCA etc (whose events currently go into the application server's default log, the server.log in the logs directory).

Conclusion

Auditing can prove to be a vital debugging tool for developers of Web or EJB based applications. System administrators can use it to constantly monitor the operation of the server. It can aid in your corporate efforts to maintain compliance with Government regulations.

About the Author: Anil Saldhana is the Lead Security Architect at JBoss. He blogs at http://anil-identity.blogspot.com