As Marvin pointed out, most of these are covered via either standard logging or actual Auditing.
With regards to services management, we could probably add Hibernate Envers relatively easily. That might be the only one that could be easily done for CAS 3.4.6. I've got experience with doing it for OpenRegistry. On Mon, Jan 10, 2011 at 11:46 AM, Marvin Addison <[email protected]>wrote: > > Basically, every audit record should have: > > • remote username > > • remote user's IP address > > • time and date > > • the service being accessed > > • description of the event... > > • local host's name and IP address (and domain if available) > > This logging data is available using Inspektr, > https://wiki.jasig.org/display/CASUM/Auditing+and+Statistics+Via+Inspektr. > Logging to file and database are supported. > > > The events that should be audited: > > • system startup and shutdown > > Not currently supported via Inspektr. You could probably hook the > Spring context initialization/teardown via AOP to accomplish this. > Obviously these events are logged via standard application logging, > but not consolidated with the audit data as you likely want. > > > • authentication and ticket creation - successful and unsuccessful > > • ticket validation (esp. including the service being accessed) - > successful and unsuccessful > > Inspektr includes these in audit data. > > > • single sign-off - successful and unsuccessful > > Not supported at present. You could hook > > org.jasig.cas.authentication.principal.AbstractWebApplicationService#logOutOfService(String) > to accomplish this. Again, these are logged via standard application > logging but not currently included in audit records. > > > • logoffs due to SSO session timeout (does http session timeouts occur in > CAS? what would it mean?) > > Not supported at present. You could hook > org.jasig.cas.ticket.registry.RegistryCleaner.clean() to trigger an > audit event if a ticket satisfies a particular expiration policy, > which would effectively document expired sessions for TGT expiration. > > HTTP session timeouts on individual services are outside the scope of CAS. > > > • activity in the services management console, i.e., > > 1. creation or deletion of managed service > > 2. modification of managed service (showing changed values) > > Not supported at present, but should be fairly straightforward to > implement with a few audit hooks. > > Given the CAS roadmap, I don't think we would consider these features > for 3.4.x, but they seem entirely reasonable for 4.0 or later. I > would suggest you open an issue to add audit hooks for the operations > you mentioned. I can imagine we might consider startup/shutdown > outside the scope of application auditing, but it seems entirely > reasonable for deployers to want that included in audit records as you > noted. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
