On 08/26/2011 03:10 PM, Johannes Renner wrote: > I got the idea and I was even researching such an approach already. For the > webapp I started with a ServletFilter (see my attached patch as an example) > that simply logs all POST requests to the backend using my helper classes > from the patches I already sent. The main thing that's missing would be the > integration of a configuration file like the above. > > I will now continue to investigate in this approach since I agree with you > that it will be much easier to maintain than having log statements all over > the code. However there is also some drawbacks: > > - Performance might be worse, since _every_ request this filter is registered > for (e.g. all *.do) will be checked if it needs to be logged or not
*nod* > - Sometimes the same URL is used for different actions, e.g. creating and > updating an object, so classification of log events might be difficult or > even not possible Can you provide example of such page. If we can solve such hard page and everything else will be easier, then we can continue persuade this idea. Otherwise we can scratch it and return to that mega-patch modifying all the code. > - Sometimes you only want to log the request in case a certain parameter is > there, so there would need to be a something like a list of "parameters > required for logging" for each URL in the config *nod* > - does it make sense to have a whitelist of interesting parameters for each > URL or rather take everything and maintain a global blacklist? What about reusing idea from httpd. I.e have order deny, allow deny foo so everything having foo will be blacklisted and everything else for this url will be audited and similary order allow, deny allow foo will mean that we will not audit it unless it have foo parameter. > Yes, but I actually think it would make sense to do this specifically within > spacewalk-java, because there is already code to determine all the stuff from > the database. To me it would make sense to reuse this code, so we don't need > to rewrite all those queries? But how will you audit backend and those old perl pages we still have there? > Yes, and such a configuration could even be modified by a customer itself. Indeed, I did not seen this advantage. -- Miroslav Suchy Red Hat Satellite Engineering _______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
