[jira] [Commented] (LOG4J2-2421) AbstractEventLogger.logEvent doesn't check for missing required context attributes

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/LOG4J2-2421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16617591#comment-16617591
 ] 

ASF GitHub Bot commented on LOG4J2-2421:
----------------------------------------

GitHub user andrei-ivanov opened a pull request:

    https://github.com/apache/logging-log4j-audit/pull/8

    [LOG4J2-2421]

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/andrei-ivanov/logging-log4j-audit LOG4J2-2421

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/logging-log4j-audit/pull/8.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #8
    
----
commit af89554f0d34ebd8263b0693cd8c6a6095b6b772
Author: Andrei Ivanov <andrei.ivanov@...>
Date:   2018-09-17T14:11:02Z

    [LOG4J2-2421] check for the presence of required ThreadContext atributes

commit baa2d74d9e4437629d02f6670d87c5430d6e5e69
Author: Andrei Ivanov <andrei.ivanov@...>
Date:   2018-09-17T14:14:11Z

    [LOG4J2-2421] iterate only over the defined request context attributes as 
the ThreadContext can have others extra

commit 0c3a58a33923a4eabac20669a89b8cc7dbc21575
Author: Andrei Ivanov <andrei.ivanov@...>
Date:   2018-09-17T14:17:39Z

    [LOG4J2-2421] remove pointless creation of array

----


> AbstractEventLogger.logEvent doesn't check for missing required context 
> attributes
> ----------------------------------------------------------------------------------
>
>                 Key: LOG4J2-2421
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2421
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Log4j-Audit
>    Affects Versions: Log4j-Audit 1.0.0
>            Reporter: Andrei Ivanov
>            Priority: Major
>
> Logging an event through {{LogEventFactory$AuditProxy}} validates the missing 
> required context attributes:
> {noformat}
> org.apache.logging.log4j.catalog.api.exception.ConstraintValidationException: 
> Event cashPaymentIn has errors :
>  ThreadContext does not contain required key userName
>       at 
> org.apache.logging.log4j.audit.LogEventFactory$AuditProxy.invoke(LogEventFactory.java:294)
>  ~[log4j-audit-api-1.0.0.jar:1.0.0]
> {noformat}
>  
> Trying the same through the {{AuditLogger}}, as the {{AuditController}} does, 
> doesn't trigger the same validation and the event gets through with a payload 
> like this, partially adapted from the samples:
> {code:json}
> {
>       "eventName": "CashPaymentIn",
>       "requestContextMap": {
>               "loginId": "rgoers",
>               "corpAccountNumber": "12345",
>               "ipAddress": "127.0.0.1"
>       },
>       "properties": {
>               "salesTransaction": "52913b24-2459-416d-803d-e686e63761d0",
>               "currency": "EUR",
>               "amount": "100.00"
>       }
> }
> {code}
> As far as I see in 
> [AbstractEventLogger|https://github.com/apache/logging-log4j-audit/blob/master/log4j-audit/log4j-audit-api/src/main/java/org/apache/logging/log4j/audit/AbstractEventLogger.java#L182],
>  the validation of present {{requestContextAttributes}} starts, but there is 
> no check to see if the required ones are present in the {{ThreadContext}}.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)