Re: [cas-user] Inspektr audit says AUTHENTICATION_SUCCESS on authentication failures

[Oscar del Pozo]

Thanks!

El martes, 23 de enero de 2018, 12:50:29 (UTC+1), Dmitriy Kopylenko 
escribió:
>
> https://github.com/apereo/inspektr
>
> D. 
>
>
>
>
> On Tue, Jan 23, 2018 at 5:38 AM -0500, "Oscar del Pozo" <
> oscard...@gmail.com > wrote:
>
> There is a bug in the module inspektr-audit-1.7.1.GA when an Exception is 
>> thrown on an authentication process that ends logging the authentication as 
>> successfully:
>>
>> Logs:
>>
>> 2018-01-23 11:18:18,583 ERROR 
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>> >> has failed. Credentials may be incorrect or CAS cannot find 
>>> authentication handler that supports 
>>> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>>>  
>>> of type [ClientCredential].>
>>> 2018-01-23 11:18:57,038 INFO 
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: null
>>> WHAT: Supplied credentials: 
>>> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>>> ACTION: AUTHENTICATION_SUCCESS
>>> APPLICATION: CAS
>>> WHEN: Tue Jan 23 11:18:57 CET 2018
>>> CLIENT IP ADDRESS: 192.168.56.1
>>> SERVER IP ADDRESS: 192.168.56.1
>>> =
>>
>>
>> The bug is located at 
>> *org.apereo.inspektr.audit.AuditTrailManagementAspect@handleAuditTrail(final 
>> ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable*:
>>
>> @Around(value = "@annotation(audit)", argNames = "audit")
>> public Object handleAuditTrail(final ProceedingJoinPoint joinPoint, 
>> final Audit audit) throws Throwable {
>> final AuditActionResolver auditActionResolver = 
>> this.auditActionResolvers.get(audit.actionResolverName());
>> final AuditResourceResolver auditResourceResolver = 
>> this.auditResourceResolvers.get(audit.resourceResolverName());
>>
>> String currentPrincipal = null;
>> String[] auditResource = new String[]{null};
>> String action = null;
>> Object retVal = null;
>> try {
>> retVal = joinPoint.proceed();
>>
>> currentPrincipal = 
>> this.auditPrincipalResolver.resolveFrom(joinPoint, retVal);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint, 
>> retVal);
>> action = auditActionResolver.resolveFrom(joinPoint, retVal, 
>> audit);
>>
>> return retVal;
>> } catch (final Throwable e) {
>> currentPrincipal = 
>> this.auditPrincipalResolver.resolveFrom(joinPoint, e);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint, 
>> e);
>> action = auditActionResolver.resolveFrom(joinPoint, e, 
>> audit);
>> throw e;
>> } finally {
>> executeAuditCode(currentPrincipal, auditResource, joinPoint, 
>> retVal, action, audit);
>> }
>> }
>>
>> The problem here is that the auditActionResolver has two methods:
>>
>> String resolveFrom(JoinPoint auditableTarget, Object retval, Audit audit);
>>
>> String resolveFrom(JoinPoint auditableTarget, Exception exception, Audit 
>> audit);
>>
>> When we try to invoke the second one, we have to cast the exception e to 
>> do not enter in the first method, where the success suffix will be applied 
>> to the audit log.
>>
>> To fix this, the catch block  should be
>>
>> } catch (final Throwable e) {
>> currentPrincipal = 
>> this.auditPrincipalResolver.resolveFrom(joinPoint, e);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint, 
>> e);
>> action = auditActionResolver.resolveFrom(joinPoint, 
>> (Exception) e, audit);
>> throw e;
>> }
>>
>> I would make a pull-request, but I haven't found the source code at 
>> github.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/019cf236-26be-4c3d-97e6-0bb731b8217e%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on 

[cas-user] Inspektr audit says AUTHENTICATION_SUCCESS on authentication failures

[Oscar del Pozo]

There is a bug in the module inspektr-audit-1.7.1.GA when an Exception is 
thrown on an authentication process that ends logging the authentication as 
successfully:

Logs:

2018-01-23 11:18:18,583 ERROR 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  has failed. Credentials may be incorrect or CAS cannot find 
> authentication handler that supports 
> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>  
> of type [ClientCredential].>
> 2018-01-23 11:18:57,038 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: null
> WHAT: Supplied credentials: 
> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Jan 23 11:18:57 CET 2018
> CLIENT IP ADDRESS: 192.168.56.1
> SERVER IP ADDRESS: 192.168.56.1
> =


The bug is located at 
*org.apereo.inspektr.audit.AuditTrailManagementAspect@handleAuditTrail(final 
ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable*:

@Around(value = "@annotation(audit)", argNames = "audit")
public Object handleAuditTrail(final ProceedingJoinPoint joinPoint, 
final Audit audit) throws Throwable {
final AuditActionResolver auditActionResolver = 
this.auditActionResolvers.get(audit.actionResolverName());
final AuditResourceResolver auditResourceResolver = 
this.auditResourceResolvers.get(audit.resourceResolverName());

String currentPrincipal = null;
String[] auditResource = new String[]{null};
String action = null;
Object retVal = null;
try {
retVal = joinPoint.proceed();

currentPrincipal = 
this.auditPrincipalResolver.resolveFrom(joinPoint, retVal);
auditResource = auditResourceResolver.resolveFrom(joinPoint, 
retVal);
action = auditActionResolver.resolveFrom(joinPoint, retVal, 
audit);

return retVal;
} catch (final Throwable e) {
currentPrincipal = 
this.auditPrincipalResolver.resolveFrom(joinPoint, e);
auditResource = auditResourceResolver.resolveFrom(joinPoint, e);
action = auditActionResolver.resolveFrom(joinPoint, e, audit);
throw e;
} finally {
executeAuditCode(currentPrincipal, auditResource, joinPoint, 
retVal, action, audit);
}
}

The problem here is that the auditActionResolver has two methods:

String resolveFrom(JoinPoint auditableTarget, Object retval, Audit audit);

String resolveFrom(JoinPoint auditableTarget, Exception exception, Audit 
audit);

When we try to invoke the second one, we have to cast the exception e to do 
not enter in the first method, where the success suffix will be applied to 
the audit log.

To fix this, the catch block  should be

} catch (final Throwable e) {
currentPrincipal = 
this.auditPrincipalResolver.resolveFrom(joinPoint, e);
auditResource = auditResourceResolver.resolveFrom(joinPoint, e);
action = auditActionResolver.resolveFrom(joinPoint, (Exception) 
e, audit);
throw e;
}

I would make a pull-request, but I haven't found the source code at github.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/019cf236-26be-4c3d-97e6-0bb731b8217e%40apereo.org.