On Mon, Mar 19, 2012 at 5:07 PM, Kasun Gajasinghe <[email protected]> wrote:
> On Mon, Mar 19, 2012 at 4:54 PM, Amila Jayasekara <[email protected]> wrote:
>>
>> The error log is originating from AxisEngine. In which AxisEngine
>> prints the AxisFault as an error. I also agree with Kasun that we
>> should not show this exception trace to user. Shall we change the log
>> level of log message to "debug" rather than "error" ?
>
> Yes, this is "giving too much information", (a phrase I learned
> in Java Colombo!) :), well the information is inaccurate too. Yes, it's
> good if this can be converted to debug level. But, is it ok to reveal
> this detail even at debug level?
Hi Kasun,
These are server side logs and we rely on these logs for auditing
purpose. We expect these logs will not be compromised and no one will
change. Therefore having more information in logs will not create any
security hole. But the information is redundant. I fixed issue by
adding a AxisFault type. In AxisEngine it has following check,
catch (AxisFault e) {
// log the fault only if it is not an application level fault.
if (e.getFaultType() != Constants.APPLICATION_FAULT) {
log.error(e.getMessage(), e);
}
...
So setting axis fault type to Constants.APPLICATION_FAULT, solved the
issue. Please take a svn up core/org.wso2.carbon.server.admin and
check whether issue is resolved.
Thanks
AmilaJ.
>
>
>> > When an unauthenticated user tries to access
>> > https://localhost:9443/carbon/,
>> > it gets redirected to https://localhost:9443/carbon/admin/login.jsp.
>> >
>> > So in your case, does this error occur during this redirection?
>
> Hi Thilina,
>
> This redirection happens too. But this stack trace gets printed in the
> server log. No affects to the functionality AFAIS.
>
> Thanks,
> --KasunG
>
>>
>> >
>> > Thanks,
>> > Thilina
>> >
>> >
>> > On Mon, Mar 19, 2012 at 3:44 PM, Kasun Gajasinghe <[email protected]> wrote:
>> >>
>> >> Hi,
>> >> In the current trunk pack, when AppServer is started, and opened the link
>> >> provided for management console URL (https://localhost:9443/carbon/), a
>> >> exception gets thrown saying "org.apache.axis2.AxisFault: Access Denied.
>> >> Authentication failed - Invalid password provided." The full stack trace
>> >> is
>> >> at [1]. This error is thrown everytime someone loaded the management
>> >> console
>> >> before logging in.
>> >>
>> >> As far as I noticed, there isn't any exception thrown in the released
>> >> versions (I checked greg-4.1.1), only the WARNing message. I think this
>> >> should be fixed because this gives a wrong idea to the user that the
>> >> password s/he provided was wrong!
>> >>
>> >> Thanks,
>> >> --KasunG
>> >>
>> >>
>> >> [1]
>> >> [2012-03-19 15:38:14,839] WARN
>> >> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed
>> >> Administrator login attempt 'admin[0]' at [2012-03-19 15:38:14,0839] from
>> >> IP
>> >> address 10.100.3.137
>> >> [2012-03-19 15:38:14,841] ERROR {org.apache.axis2.engine.AxisEngine} -
>> >> Access Denied. Authentication failed - Invalid password provided.
>> >> org.apache.axis2.AxisFault: Access Denied. Authentication failed - Invalid
>> >> password provided.
>> >> at
>> >> org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:94)
>> >> at
>> >> org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:53)
>> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
>> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
>> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
>> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
>> >> at
>> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
>> >> at
>> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
>> >> at
>> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:205)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
>> >> at
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
>> >> at
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:46)
>> >> at
>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>> >> at
>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>> >> at
>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
>> >> at
>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
>> >> at
>> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
>> >> at
>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
>> >> at
>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
>> >> at
>> >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:54)
>> >> at
>> >> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:155)
>> >> at
>> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
>> >> at
>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>> >> at
>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>> >> at
>> >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
>> >> at
>> >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
>> >> at
>> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1600)
>> >> at
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>> >> at
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>> >> at java.lang.Thread.run(Thread.java:662)
>> >>
>> >>
>> >>
>> >> --
>> >> Kasun Gajasinghe
>> >> Software Engineer; WSO2 Inc.; http://wso2.com
>> >>
>> >> ,
>> >> email: kasung AT spamfree wso2.com cell: +94 (77) 678-0813
>> >> linked-in: http://lk.linkedin.com/in/gajasinghe
>> >> blog: http://blog.kasunbg.org
>> >>
>> >>
>> >> twitter: http://twitter.com/kasunbg
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Thilina Buddhika
>> > Associate Technical Lead
>> > WSO2 Inc. ; http://wso2.com
>> > lean . enterprise . middleware
>> >
>> > phone : +94 77 44 88 727
>> > blog : http://blog.thilinamb.com
>> >
>> > _______________________________________________
>> > Dev mailing list
>> > [email protected]
>> > http://wso2.org/cgi-bin/mailman/listinfo/dev
>> >
>>
>>
>>
>> --
>> Mobile : +94773330538
>
>
>
>
> --
> Kasun Gajasinghe
> Software Engineer; WSO2 Inc.; http://wso2.com
>
> ,
> email: kasung AT spamfree wso2.com cell: +94 (77) 678-0813
> linked-in: http://lk.linkedin.com/in/gajasinghe
> blog: http://blog.kasunbg.org
>
>
> twitter: http://twitter.com/kasunbg
--
Mobile : +94773330538
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
