Request Logging at Java-PEPs

Option to configure the following log4j logger:

<Logger name="SSO_RESULT_LOGGER" level="info" additivity="false">
    ...
</Logger>

By default, the logger logs any user authentication and resource authorization as the following log message:

ResourceUrl (the value of the request URL), User-Agent (the value of the "User-Agent" request header if the header exists), Result (Success | Failure | Redirect)

The logger allows to combine the default values with values coming from the request injection feature. Please see Request Injection Value Template and Request Injection Template for the configuration of the request injection feature.

Servlet Filter PEP

The PEP accepts the following local configurations in web.xml file:

  • request.injection.names.to.log

    • A collection of already configured request injection names whose values should be processed by the logger.

    • Request injections with appropriate names must be configured and assigned to the appropriate PEP.

  • request.injection.names.filter

    • A collection of already configured request injection names whose values should only be processed by the logger. These request injection names and values will not be passed to any protected application.

Example

In web.xml

...
<filter>
... standard DirX Access Servlet Filter PEP local configuration ...
<init-param>
   <param-name>request.injection.names.to.log</param-name>
   <param-value>When,Who,Where,AuthnMethod</param-value>
</init-param>
<init-param>
   <param-name>request.injection.names.filter</param-name>
   <param-value>When,Who,Where</param-value>
</init-param>
</filter>
...

Configuration of request injection names

{
    "value": [
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "key": "Authentication Time",
            "type": "HttpRequestHeader",
            "keyword": "When",
            "keywordValueSeparator": "=",
            "mandatory": false,
            "requestInjectionValueTemplateId": {
                "key": "Authentication Time",
                "type": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate"
            }
        },
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "key": "LoginName",
            "type": "HttpRequestAttribute",
            "keyword": "Who",
            "keywordValueSeparator": "=",
            "mandatory": false,
            "requestInjectionValueTemplateId": {
                "key": "LoginName",
                "type": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate"
            }
        },
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "key": "ClientHost",
            "type": "HttpRequestAttribute",
            "keyword": "Where",
            "keywordValueSeparator": "=",
            "mandatory": false,
            "requestInjectionValueTemplateId": {
                "key": "ClientHost",
                "type": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate"
            }
        },
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionTemplate",
            "key": "Authentication Methods",
            "type": "HttpRequestAttribute",
            "keyword": "AuthnMethod",
            "keywordValueSeparator": "=",
            "mandatory": false,
            "requestInjectionValueTemplateId": {
                "key": "Authentication Methods",
                "type": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate"
            }
        },
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "key": "Authentication Time",
            "source": "SSO_SERVICE",
            "sourceAbstraction": "AUTHENTICATION_INFO",
            "sourceAbstractionDetail": "AUTHENTICATION_TIME",
            "roleAssignmentsImprintDomain": false,
            "multiValuesSeparator": ","
        },
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "key": "LoginName",
            "source": "SSO_SERVICE",
            "sourceAbstraction": "AUTHENTICATION_INFO",
            "sourceAbstractionDetail": "AUTHENTICATION_ID",
            "roleAssignmentsImprintDomain": false,
            "multiValuesSeparator": ","
        },
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "key": "ClientHost",
            "source": "SSO_SERVICE",
            "sourceAbstraction": "CONTEXT_INFO",
            "sourceAbstractionDetail": "CLIENT_IP_ADDRESS",
            "roleAssignmentsImprintDomain": false,
            "multiValuesSeparator": ","
        },
        {
            "@odata.type": "#net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "dp": "net.atos.dirx.access.apprepo.api.config.subject.external.RequestInjectionValueTemplate",
            "key": "Authentication Methods",
            "source": "SSO_SERVICE",
            "sourceAbstraction": "AUTHENTICATION_INFO",
            "sourceAbstractionDetail": "AUTHENTICATION_METHODS",
            "roleAssignmentsImprintDomain": false,
            "multiValuesSeparator": ","
        }
    ]
}

Jetty Handler PEP

The PEP accepts the following configurations in jetty.xml file:

  • requestInjectionNamesToLog

    • A collection of already configured request injection names whose values should be processed by the logger.

  • requestInjectionNamesFilter

    • A collection of already configured request injection names whose values should only be processed by the logger. These request injection names and values will not be passed to any protected application.

Example

In jetty.xml file

...
<Item><New class="net.atos.dirx.access.pep.jetty11.DXAHandler" id="DXAHandler">
... standard DirX Access Servlet Filter PEP local configuration ...
<Set name="requestInjectionNamesToLog">When,Who,Where,AuthnMethod</Set>
<Set name="requestInjectionNamesFilter">When,Who,Where</Set>
</New></Item>
...

Tomcat Valve PEP

The PEP accepts the following configurations in server.xml file:

  • requestInjectionNamesToLog

    • A collection of already configured request injection names whose values should be processed by the logger.

  • requestInjectionNamesFilter

    • A collection of already configured request injection names whose values should only be processed by the logger. These request injection names and values will not be passed to any protected application.

Example

In server.xml file

...
<Valve className="com.siemens.dxa.pep.tomcat10.DXAValve"
... standard DirX Access Servlet Filter PEP local configuration ...
requestInjectionNamesToLog="When,Who,Where,AuthnMethod" requestInjectionNamesFilter"When,Who,Where"/>
...