Topic
  • 8 replies
  • Latest Post - ‏2013-01-18T12:39:24Z by SystemAdmin
SystemAdmin
SystemAdmin
590 Posts

Pinned topic How to track which users are logged into WAS/WLE using auditing

‏2012-11-09T17:40:37Z |
Hello,

My client uses WLE 7.2 (running on WAS 7.0.0.25) and wants to know which users are logged into their applications. Their "applications" (say 5-10) are "Lombardi" process apps and this essentially means they are served up via a Web module in Teamworks.war (part of the WLE implementation that runs on top of WAS).

At a basic level they would like to know who is logged on / how many users are accessing the system. The users log into a login page (pretty much the standard Teamworks login page) (authenticate using LDAP) and are re-directed to a landing page process application.

1. Is there an API to retrieve security cache information? i.e. WAS has a backend security cache and the contents of which would be very useful to build such a page..

2. Is there an API to retrieve web session details ? (seems unlikely) i.e. accessing all of the sessions and the associated credentials would tell us who is using the system.

Other approaches I have considered to log the user activity direct:

A. Using a servlet filter and modifying the WLE EAR's (teamworks.war) so that every HTTP request is logged.

B. Creating an "audit service provider -> New third party emitter" to capture security events
Question - What 2 interfaces must be used for this? It appears undocumented...

C. Use existing security audit to binary file and report on this (undesirable as it will cause many large files distributed across nodes)..

In either of the approaches A&B, the data could be logged to a DB or dyna-cache (a map from userId to recent activity summary) might be more appropriate..

Any suggestions appreciated, Dave
  • kark
    kark
    26 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2012-11-12T23:25:06Z  
    Hi,

    There are no public APIs to get the cache information. Do not see how you can do 2) either.

    Are these the 2 interfaces for Audit are you referring to?

    http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frsec_sa_event_interface.html

    and

    http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frsec_sa_event_factory_interface.html

    Also, the Audit mechanism provides one to capture just the data that they are interested in (for eg. authentication only) to minimize the data captured.

    --Ajay
  • SystemAdmin
    SystemAdmin
    590 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2012-11-13T10:33:28Z  
    • kark
    • ‏2012-11-12T23:25:06Z
    Hi,

    There are no public APIs to get the cache information. Do not see how you can do 2) either.

    Are these the 2 interfaces for Audit are you referring to?

    http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frsec_sa_event_interface.html

    and

    http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frsec_sa_event_factory_interface.html

    Also, the Audit mechanism provides one to capture just the data that they are interested in (for eg. authentication only) to minimize the data captured.

    --Ajay
    Hi Ajay,

    Thanks for your response, much appreciated.

    I am looking at the page Configuring a third party audit service providers for security auditing

    Let's assume I want to create a third party audit service provider (not a binary file-based emitter) that uses JDBC to log certain events to a DB.

    When I choose Security auditing > Audit service provider > New third party emitter
    it asks for both:

    1. Third party emitter class name
    2. Event formatting module class name

    When I looked into audit.xml and the default Binary emitter (...runtime.jar), it implemented com.ibm.wsspi.security.audit.AuditServiceProvider

    So for 1. is the AuditServiceProvider interface what I need? Or the GenericEvent interface you suggested?

    For 2, I found no clues in audit.xml (as there is no third party provider defined).. but I presume the GenericEventFactory interface you suggested is the right one here? My sendEvent() would return true/false depending on if particular events will be handled?

    Assuming I author the correct classes, would I put the JAR into /lib ? Presume I'd need a server restart ;-)..

    Regards, Dave
  • kark
    kark
    26 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2012-11-13T23:26:38Z  
    Hi Ajay,

    Thanks for your response, much appreciated.

    I am looking at the page Configuring a third party audit service providers for security auditing

    Let's assume I want to create a third party audit service provider (not a binary file-based emitter) that uses JDBC to log certain events to a DB.

    When I choose Security auditing > Audit service provider > New third party emitter
    it asks for both:

    1. Third party emitter class name
    2. Event formatting module class name

    When I looked into audit.xml and the default Binary emitter (...runtime.jar), it implemented com.ibm.wsspi.security.audit.AuditServiceProvider

    So for 1. is the AuditServiceProvider interface what I need? Or the GenericEvent interface you suggested?

    For 2, I found no clues in audit.xml (as there is no third party provider defined).. but I presume the GenericEventFactory interface you suggested is the right one here? My sendEvent() would return true/false depending on if particular events will be handled?

    Assuming I author the correct classes, would I put the JAR into /lib ? Presume I'd need a server restart ;-)..

    Regards, Dave
    Dave,

    I will confirm and get back on the usage of these soon.

    We recommend user implemented jars to be placed in the lib/ext directory. You will need a server restart after configuring your own implementation.

    --Ajay
  • emilyt
    emilyt
    2 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2012-11-16T16:13:48Z  
    Hi Ajay,

    Thanks for your response, much appreciated.

    I am looking at the page Configuring a third party audit service providers for security auditing

    Let's assume I want to create a third party audit service provider (not a binary file-based emitter) that uses JDBC to log certain events to a DB.

    When I choose Security auditing > Audit service provider > New third party emitter
    it asks for both:

    1. Third party emitter class name
    2. Event formatting module class name

    When I looked into audit.xml and the default Binary emitter (...runtime.jar), it implemented com.ibm.wsspi.security.audit.AuditServiceProvider

    So for 1. is the AuditServiceProvider interface what I need? Or the GenericEvent interface you suggested?

    For 2, I found no clues in audit.xml (as there is no third party provider defined).. but I presume the GenericEventFactory interface you suggested is the right one here? My sendEvent() would return true/false depending on if particular events will be handled?

    Assuming I author the correct classes, would I put the JAR into /lib ? Presume I'd need a server restart ;-)..

    Regards, Dave
    Hi Dave,

    To answer your questions:

    So for 1. is the AuditServiceProvider interface what I need? Or the GenericEvent interface you suggested?

    >> You would need to implement the AuditServiceProvider interface and not the GenericEvent interface.

    For 2, I found no clues in audit.xml (as there is no third party provider defined).. but I presume the GenericEventFactory interface you suggested is the right one here? My sendEvent() would return true/false depending on if particular events will be handled?

    >> The GenericEventFactory interface is not correct. If you create a 3rd party emitter, you can split the "formatting" part of it off from the implementation of the emitter itself. The class implementing the formatting part of the data is what's specified here. It is not an implementation of any audit interface, but your own class.

    Hope that helps. If not, more than happy to provide some more guidance.

    Emily
  • SystemAdmin
    SystemAdmin
    590 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2013-01-06T18:09:36Z  
    • kark
    • ‏2012-11-13T23:26:38Z
    Dave,

    I will confirm and get back on the usage of these soon.

    We recommend user implemented jars to be placed in the lib/ext directory. You will need a server restart after configuring your own implementation.

    --Ajay
    Thanks! I'll reply below...
  • SystemAdmin
    SystemAdmin
    590 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2013-01-06T18:24:32Z  
    • emilyt
    • ‏2012-11-16T16:13:48Z
    Hi Dave,

    To answer your questions:

    So for 1. is the AuditServiceProvider interface what I need? Or the GenericEvent interface you suggested?

    >> You would need to implement the AuditServiceProvider interface and not the GenericEvent interface.

    For 2, I found no clues in audit.xml (as there is no third party provider defined).. but I presume the GenericEventFactory interface you suggested is the right one here? My sendEvent() would return true/false depending on if particular events will be handled?

    >> The GenericEventFactory interface is not correct. If you create a 3rd party emitter, you can split the "formatting" part of it off from the implementation of the emitter itself. The class implementing the formatting part of the data is what's specified here. It is not an implementation of any audit interface, but your own class.

    Hope that helps. If not, more than happy to provide some more guidance.

    Emily
    Hello,

    Thanks Ajay & Emily for your help.

    I implemented an Audit Service Provider (and an Audit Event Factory). Functionally it works well.

    However when I turn on AUTHN / SUCCESS response times for the application (AJAX services) increase from 0.2 to 4.7 seconds. To put this in context, the applications are built using WLE tooling and in particular I am talking about AJAX services defined within the programming model.

    These response times apply to empty services (so its really only WLE/WAS product code at play). There appeared to be a 4.5sec pause (no CPU usage) on each response. Note there's only one request happening a time, the server is idle.

    I did a stack trace (4.5 seconds plenty of time to grab one) and this is the issue: (I have removed many lines)

    at java/net/Inet4AddressImpl.getHostByAddr(Native Method)
    at java/net/InetAddress.getCanonicalHostName(InetAddress.java:517)
    com/ibm/ws/webcontainer/srt/SRTServletRequest.getRemoteHost(SRTServletRequest.java:671)
    at com/ibm/ws/security/audit/utils/AuditHelper.buildSessionData(AuditHelper.java:466)
    at com/ibm/ws/security/web/WebAuthenticator.validate(WebAuthenticator.java:3808)

    So it appears there is something peculiar about the client's network that causes a 4 sec delay trying to turn an IP into a hostname... Nslookup also times out for my IP address.

    Indeed, in standalone Java this*** takes 4 secs.
    i = Inet4Address.getByName(args[0]);
    i.getCanonicalHostName(); //***

    (This code path occurs when I use AUTHN / SUCCESS and configure my audit event factory, even if the audit event factory's sendEvent does nothing.)

    Any ideas? Is there any way to stop the audit framework from trying to do this? (it is totally unnecessary for us).

    Cheers, Dave
  • emilyt
    emilyt
    2 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2013-01-07T15:23:10Z  
    Hello,

    Thanks Ajay & Emily for your help.

    I implemented an Audit Service Provider (and an Audit Event Factory). Functionally it works well.

    However when I turn on AUTHN / SUCCESS response times for the application (AJAX services) increase from 0.2 to 4.7 seconds. To put this in context, the applications are built using WLE tooling and in particular I am talking about AJAX services defined within the programming model.

    These response times apply to empty services (so its really only WLE/WAS product code at play). There appeared to be a 4.5sec pause (no CPU usage) on each response. Note there's only one request happening a time, the server is idle.

    I did a stack trace (4.5 seconds plenty of time to grab one) and this is the issue: (I have removed many lines)

    at java/net/Inet4AddressImpl.getHostByAddr(Native Method)
    at java/net/InetAddress.getCanonicalHostName(InetAddress.java:517)
    com/ibm/ws/webcontainer/srt/SRTServletRequest.getRemoteHost(SRTServletRequest.java:671)
    at com/ibm/ws/security/audit/utils/AuditHelper.buildSessionData(AuditHelper.java:466)
    at com/ibm/ws/security/web/WebAuthenticator.validate(WebAuthenticator.java:3808)

    So it appears there is something peculiar about the client's network that causes a 4 sec delay trying to turn an IP into a hostname... Nslookup also times out for my IP address.

    Indeed, in standalone Java this*** takes 4 secs.
    i = Inet4Address.getByName(args[0]);
    i.getCanonicalHostName(); //***

    (This code path occurs when I use AUTHN / SUCCESS and configure my audit event factory, even if the audit event factory's sendEvent does nothing.)

    Any ideas? Is there any way to stop the audit framework from trying to do this? (it is totally unnecessary for us).

    Cheers, Dave
    Is there any way to stop the audit framework from trying to do this? (it is totally unnecessary for us).

    Hi Dave,

    Are you asking if there is a way in the audit framework to not gather the remote host information, thus eliminating the 4.0+ sec delay? If yes, then no, there is no mechanism to say gather information bits for x (for example, user name), y (for example, resource name), but not z (for example, remote host id).

    What version of Java are you running with? While running stress testing with JDK 1.5 and 1.6, we are not seeing this delay, so am wondering if there is something specific to how your environment is set up (i.e, load balancers, etc??)

    Emily
  • SystemAdmin
    SystemAdmin
    590 Posts

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2013-01-18T12:39:24Z  
    • emilyt
    • ‏2013-01-07T15:23:10Z
    Is there any way to stop the audit framework from trying to do this? (it is totally unnecessary for us).

    Hi Dave,

    Are you asking if there is a way in the audit framework to not gather the remote host information, thus eliminating the 4.0+ sec delay? If yes, then no, there is no mechanism to say gather information bits for x (for example, user name), y (for example, resource name), but not z (for example, remote host id).

    What version of Java are you running with? While running stress testing with JDK 1.5 and 1.6, we are not seeing this delay, so am wondering if there is something specific to how your environment is set up (i.e, load balancers, etc??)

    Emily
    It seems specific to the client environment and is intermittent DNS issue for host lookups of dynamic IP's e.g. my laptop via VPN. I have since made an alternative solution by adding hooks into the WLE product JSP's. Thanks for the help.