Adding security event logging

If you’re interested in logging all of the security events (when a user logs in or logs out of the Roo application), you can do so by adding the LoggerListener Spring bean provided by the Spring Security framework. Security event logging is a requirement in several organizations, especially those that must be compliant with regulatory stan­

dards such as the Sarbanes-Oxley Act (SOX) or the Federal Information Security Man­

agement Act (FISMA).

The LoggerListener class (which is located in the org.springframework .security.authentication.event package) outputs authentication-related applica­

tion events to the logger. All the authentication events are logged at the warning (WARN) logger level.

Note that this security event logger is part of Spring Security and not a Spring Roo feature, but it’s included in the discussion here because most real-world applications require logging for troubleshooting as well as security compliance purposes. The fol­

lowing configuration snippet shows how to add the security event logging in the appli­

cationContext-security.xml file:

<!-- Security event logging -->

<beans:bean id="loggerListener"

class="org.springframework.security.authentication.event.➥

LoggerListener" />

The following log output snippet shows the security event logger output messages after you enable LoggerListener:

2010-11-27 18:52:05,202 [http-8080-1] WARN

org.springframework.security.authentication.event.LoggerListener - Authentication event AuthenticationSuccessEvent: user;

details: org.springframework.security.web.authentication.

WebAuthenticationDetails@380f4:

RemoteIpAddress: 0:0:0:0:0:0:0:1; ➥

SessionId: 74CAE479AA7B10ABAAB3155EAB14D53B 2010-11-27 18:52:05,206 [http-8080-1] WARN

org.springframework.security.authentication.event.LoggerListener -

Authentication event InteractiveAuthenticationSuccessEvent: user;

details: org.springframework.security.web.authentication.

WebAuthenticationDetails@380f4:

RemoteIpAddress: 0:0:0:0:0:0:0:1; ➥

SessionId: 74CAE479AA7B10ABAAB3155EAB14D53B

The default logger level in the generated log4j.properties file is ERROR, so you’ll need to modify the logger level to either WARN or INFO to be able to view the security event log messages. Run the following Roo commands to change logging level from the ERROR to the INFO level. Make sure that the ERROR log level is set for the application that’s running in the production environment and set the INFO level to run only in nonproduction environments:

roo> logging setup --level INFO

Managed SRC_MAIN_RESOURCES\log4j.properties roo>

The logging command shown in the previous example defaults to all packages in the web application‚ but you can use the optional --package argument to specify the package that you want to set the logging level. The following example provides the logging command again, but this time it specifies the package name for the classes in the Roo project (using the variable PROJECT, which maps to the org.rooinaction .coursemanager package):

logging setup --level DEBUG --package PROJECT

This will add the following line to the log4j.properties file:

log4j.logger.org.rooinaction.coursemanager=DEBUG

If you want to modify the log level for Spring Security Java classes, specify SECURITY as the value for the package argument in the setup command and it will add the DEBUG level to the org.springframework.security package. This is helpful for trouble- shooting any security-related bugs in the application.

The following listing shows the complete configuration with all of the custom changes discussed in this chapter for the applicationContext-security.xml security con- figuration file.

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"

xmlns:beans="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="

http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/➥

spring-security-3.0.xsd">

<http auto-config="true" use-expressions="true">

Listing 8.6 Security configuration for Course Manager application

207 Adding security event logging

<form-login login-processing-url="/resources/➥

j_spring_security_check"

login-page="/login"

authentication-failure-url="/login?login_error=t"/>

<logout logout-url="/resources/j_spring_security_logout"/>

<intercept-url pattern="/coursecatalog/**" method="DELETE"

access="hasRole('ROLE_ADMIN')" />

<intercept-url pattern="/coursecatalog/**"

access="hasAnyRole('ROLE_ADMIN', 'ROLE_STUDENT')" />

<intercept-url pattern="/coursedetails/**" method="POST"

access="hasRole('ROLE_ADMIN')" />

<intercept-url pattern="/coursedetails/**" method="PUT"

access="hasRole('ROLE_ADMIN')" />

<intercept-url pattern="/coursedetails/**" method="GET"

access="permitAll" />

<intercept-url pattern="/coursedetails/**" method="DELETE"

access="hasRole('ROLE_ADMIN')" />

<intercept-url pattern="/coursedetails/**"

access="hasAnyRole('ROLE_ADMIN','ROLE_STUDENT')" />

<intercept-url pattern="/**" access="permitAll" />

</http>

<ldap-server id="ldapServer"

url="ldap://localhost:389"

manager-dn="cn=Directory Manager"

manager-password="test123"

/>

<authentication-manager alias="authenticationManager">

<ldap-authentication-provider server-ref="ldapServer"

user-dn-pattern="uid={0},dc=coursemanager,dc=com"

user-search-filter="(uid={0})"

user-search-base="dc=coursemanager,dc=com"

group-search-base="dc=coursemanager,dc=com"

group-role-attribute="dc=coursemanager,dc=com"

/>

</authentication-manager>

<beans:bean id="loggerListener"

class="org.springframework.security.authentication.event.➥

LoggerListener" />

</beans:beans>

As you can see in the previous listing, almost all of the application security aspects—

such as the user authentication, the role-based access (RBAC) to different web pages (URLs) in the application, the expression language–based access control, and the security event logging—can be defined in the XML file without having to write a single line of Java code. This is the power the Spring Security framework brings to the table‚

and Roo takes complete advantage of this approach. The Spring Security framework makes the job of every application architect and developer easier, because they can spend their focus, time, and effort on the business logic part of the application instead

of getting bogged down with all the security configuration details and other boiler- plate infrastructure tasks.