On Mon, Mar 19, 2012 at 5:25 PM, Amila Jayasekara <[email protected]> wrote: > On Mon, Mar 19, 2012 at 5:07 PM, Kasun Gajasinghe <[email protected]> wrote: >> On Mon, Mar 19, 2012 at 4:54 PM, Amila Jayasekara <[email protected]> wrote: >>> >>> The error log is originating from AxisEngine. In which AxisEngine >>> prints the AxisFault as an error. I also agree with Kasun that we >>> should not show this exception trace to user. Shall we change the log >>> level of log message to "debug" rather than "error" ? >> >> Yes, this is "giving too much information", (a phrase I learned >> in Java Colombo!) :), well the information is inaccurate too. Yes, it's >> good if this can be converted to debug level. But, is it ok to reveal >> this detail even at debug level? > > Hi Kasun, > > These are server side logs and we rely on these logs for auditing > purpose. We expect these logs will not be compromised and no one will > change. Therefore having more information in logs will not create any > security hole. But the information is redundant. I fixed issue by > adding a AxisFault type. In AxisEngine it has following check, > > catch (AxisFault e) { > // log the fault only if it is not an application level fault. > if (e.getFaultType() != Constants.APPLICATION_FAULT) { > log.error(e.getMessage(), e); > } > ... > > So setting axis fault type to Constants.APPLICATION_FAULT, solved the > issue.
Yes, I understand. This fix looks neat. Please take a svn up core/org.wso2.carbon.server.admin and > check whether issue is resolved. Thanks, will do. --KasunG > > Thanks > AmilaJ. > >> >> >>> > When an unauthenticated user tries to access >>> > https://localhost:9443/carbon/, >>> > it gets redirected to https://localhost:9443/carbon/admin/login.jsp. >>> > >>> > So in your case, does this error occur during this redirection? >> >> Hi Thilina, >> >> This redirection happens too. But this stack trace gets printed in the >> server log. No affects to the functionality AFAIS. >> >> Thanks, >> --KasunG >> >>> >>> > >>> > Thanks, >>> > Thilina >>> > >>> > >>> > On Mon, Mar 19, 2012 at 3:44 PM, Kasun Gajasinghe <[email protected]> wrote: >>> >> >>> >> Hi, >>> >> In the current trunk pack, when AppServer is started, and opened the link >>> >> provided for management console URL (https://localhost:9443/carbon/), a >>> >> exception gets thrown saying "org.apache.axis2.AxisFault: Access Denied. >>> >> Authentication failed - Invalid password provided." The full stack trace >>> >> is >>> >> at [1]. This error is thrown everytime someone loaded the management >>> >> console >>> >> before logging in. >>> >> >>> >> As far as I noticed, there isn't any exception thrown in the released >>> >> versions (I checked greg-4.1.1), only the WARNing message. I think this >>> >> should be fixed because this gives a wrong idea to the user that the >>> >> password s/he provided was wrong! >>> >> >>> >> Thanks, >>> >> --KasunG >>> >> >>> >> >>> >> [1] >>> >> [2012-03-19 15:38:14,839] WARN >>> >> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed >>> >> Administrator login attempt 'admin[0]' at [2012-03-19 15:38:14,0839] >>> >> from IP >>> >> address 10.100.3.137 >>> >> [2012-03-19 15:38:14,841] ERROR {org.apache.axis2.engine.AxisEngine} - >>> >> Access Denied. Authentication failed - Invalid password provided. >>> >> org.apache.axis2.AxisFault: Access Denied. Authentication failed - >>> >> Invalid >>> >> password provided. >>> >> at >>> >> org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:94) >>> >> at >>> >> org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:53) >>> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >>> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >>> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >>> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >>> >> at >>> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >>> >> at >>> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) >>> >> at >>> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:205) >>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) >>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >>> >> at >>> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) >>> >> at >>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) >>> >> at >>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) >>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >>> >> at >>> >> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:46) >>> >> at >>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >>> >> at >>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>> >> at >>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) >>> >> at >>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) >>> >> at >>> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) >>> >> at >>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) >>> >> at >>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>> >> at >>> >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:54) >>> >> at >>> >> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:155) >>> >> at >>> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) >>> >> at >>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >>> >> at >>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) >>> >> at >>> >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) >>> >> at >>> >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) >>> >> at >>> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1600) >>> >> at >>> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >>> >> at >>> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >>> >> at java.lang.Thread.run(Thread.java:662) >>> >> >>> >> >>> >> >>> >> -- >>> >> Kasun Gajasinghe >>> >> Software Engineer; WSO2 Inc.; http://wso2.com >>> >> >>> >> , >>> >> email: kasung AT spamfree wso2.com cell: +94 (77) 678-0813 >>> >> linked-in: http://lk.linkedin.com/in/gajasinghe >>> >> blog: http://blog.kasunbg.org >>> >> >>> >> >>> >> twitter: http://twitter.com/kasunbg >>> >> >>> >> >>> >> >>> > >>> > >>> > >>> > -- >>> > Thilina Buddhika >>> > Associate Technical Lead >>> > WSO2 Inc. ; http://wso2.com >>> > lean . enterprise . middleware >>> > >>> > phone : +94 77 44 88 727 >>> > blog : http://blog.thilinamb.com >>> > >>> > _______________________________________________ >>> > Dev mailing list >>> > [email protected] >>> > http://wso2.org/cgi-bin/mailman/listinfo/dev >>> > >>> >>> >>> >>> -- >>> Mobile : +94773330538 >> >> >> >> >> -- >> Kasun Gajasinghe >> Software Engineer; WSO2 Inc.; http://wso2.com >> >> , >> email: kasung AT spamfree wso2.com cell: +94 (77) 678-0813 >> linked-in: http://lk.linkedin.com/in/gajasinghe >> blog: http://blog.kasunbg.org >> >> >> twitter: http://twitter.com/kasunbg > > > > -- > Mobile : +94773330538 -- Kasun Gajasinghe Software Engineer; WSO2 Inc.; http://wso2.com , email: kasung AT spamfree wso2.com cell: +94 (77) 678-0813 linked-in: http://lk.linkedin.com/in/gajasinghe blog: http://blog.kasunbg.org twitter: http://twitter.com/kasunbg _______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
