Apache Geronimo > Discussion Forums  User List | Dev List | Wiki | Issue Tracker  
Geronimo
 » 
Apache Geronimo - Users

How to stop logging of webservice authentication failure

View: New views
3 Messages — Rating Filter:   Alert me  

How to stop logging of webservice authentication failure

by yosemite :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello all,

I have a @Stateless acting as @WebService configured in openejb-jar.xml like

        <ejb:enterprise-beans>
                <ejb:session>
                        <ejb:ejb-name>TimeBean</ejb:ejb-name>
                        <ejb:web-service-security>
                                <ejb:security-realm-name>MyRealm</ejb:security-realm-name>
                                <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
                                <ejb:auth-method>BASIC</ejb:auth-method>
                                <http-method>POST</http-method>
                                <http-method>PUT</http-method>
                        </ejb:web-service-security>
                </ejb:session>
        </ejb:enterprise-beans>

Which works perfect if user credentials passed to webservice are right. But if the credentials are wrong (wrong password), it tells the client "The server sent HTTP status code 401: Unauthorized" but also logs in geronimo.log:

2009-08-23 14:16:03,531 WARN  [log] AUTH FAILURE: user tester1
2009-08-23 14:16:03,531 WARN  [log] Committed before 403 null
2009-08-23 14:16:03,531 ERROR [log] handle failed
java.lang.IllegalStateException: Committed
        at org.mortbay.jetty.Response.resetBuffer(Response.java:995)
        at org.mortbay.jetty.Response.sendError(Response.java:240)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:521)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
        at org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:214)
        at org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:344)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:619)

How to avoid this log, how to handle to IllegalStateException and where, please?

If I use the same realm in the web app, this section in web.xml

    <realm-name>MyRealm</realm-name>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
  </login-config>

bumps to loginError if password is wrong, and then the log entry is just

WARN  [log] AUTH FAILURE: user tester1

(i.e.no IllegalStateException)

Any help appreciated.
Karel


Re: How to stop logging of webservice authentication failure

by Jack Cai :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I guess there is nothing you can do here. The exception is never routed to your code. It looks like a small defect in Jetty's code. You might want to raise a defect against Jetty.

-Jack

On Sun, Aug 23, 2009 at 8:43 PM, yosemite <kmichek@...> wrote:

Hello all,

I have a @Stateless acting as @WebService configured in openejb-jar.xml like

       <ejb:enterprise-beans>
               <ejb:session>
                       <ejb:ejb-name>TimeBean</ejb:ejb-name>
                       <ejb:web-service-security>
                               <ejb:security-realm-name>MyRealm</ejb:security-realm-name>
                               <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
                               <ejb:auth-method>BASIC</ejb:auth-method>
                               <http-method>POST</http-method>
                               <http-method>PUT</http-method>
                       </ejb:web-service-security>
               </ejb:session>
       </ejb:enterprise-beans>

Which works perfect if user credentials passed to webservice are right. But
if the credentials are wrong (wrong password), it tells the client "The
server sent HTTP status code 401: Unauthorized" but also logs in
geronimo.log:

2009-08-23 14:16:03,531 WARN  [log] AUTH FAILURE: user tester1
2009-08-23 14:16:03,531 WARN  [log] Committed before 403 null
2009-08-23 14:16:03,531 ERROR [log] handle failed
java.lang.IllegalStateException: Committed
       at org.mortbay.jetty.Response.resetBuffer(Response.java:995)
       at org.mortbay.jetty.Response.sendError(Response.java:240)
       at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:521)
       at
org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
       at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
       at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
       at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
       at
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
       at org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:214)
       at
org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:344)
       at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
       at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
       at java.lang.Thread.run(Thread.java:619)

How to avoid this log, how to handle to IllegalStateException and where,
please?

If I use the same realm in the web app, this section in web.xml

   <realm-name>MyRealm</realm-name>
   <form-login-config>
     <form-login-page>/login.jsp</form-login-page>
     <form-error-page>/loginError.jsp</form-error-page>
   </form-login-config>
 </login-config>

bumps to loginError if password is wrong, and then the log entry is just

WARN  [log] AUTH FAILURE: user tester1

(i.e.no IllegalStateException)

Any help appreciated.
Karel


--
View this message in context: http://www.nabble.com/How-to-stop-logging-of-webservice-authentication-failure-tp25102983s134p25102983.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.

Re: How to stop logging of webservice authentication failure

by yosemite :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello
This problem never went away in Geronimo 2.1.4 - Jetty, maybe it's some Jetty logging configuration, I was not persistent enough to find exactly what :-)
Karel


yosemite wrote:
Hello all,

I have a @Stateless acting as @WebService configured in openejb-jar.xml like

        <ejb:enterprise-beans>
                <ejb:session>
                        <ejb:ejb-name>TimeBean</ejb:ejb-name>
                        <ejb:web-service-security>
                                <ejb:security-realm-name>MyRealm</ejb:security-realm-name>
                                <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
                                <ejb:auth-method>BASIC</ejb:auth-method>
                                <http-method>POST</http-method>
                                <http-method>PUT</http-method>
                        </ejb:web-service-security>
                </ejb:session>
        </ejb:enterprise-beans>

Which works perfect if user credentials passed to webservice are right. But if the credentials are wrong (wrong password), it tells the client "The server sent HTTP status code 401: Unauthorized" but also logs in geronimo.log:

2009-08-23 14:16:03,531 WARN  [log] AUTH FAILURE: user tester1
2009-08-23 14:16:03,531 WARN  [log] Committed before 403 null
2009-08-23 14:16:03,531 ERROR [log] handle failed
java.lang.IllegalStateException: Committed
        at org.mortbay.jetty.Response.resetBuffer(Response.java:995)
        at org.mortbay.jetty.Response.sendError(Response.java:240)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:521)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
        at org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:214)
        at org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:344)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:619)

How to avoid this log, how to handle to IllegalStateException and where, please?

If I use the same realm in the web app, this section in web.xml

    <realm-name>MyRealm</realm-name>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
  </login-config>

bumps to loginError if password is wrong, and then the log entry is just

WARN  [log] AUTH FAILURE: user tester1

(i.e.no IllegalStateException)

Any help appreciated.
Karel
Free embeddable forum powered by Nabble Forum Help