Topic
8 replies Latest Post - ‏2013-01-18T12:39:24Z by SystemAdmin
SystemAdmin
SystemAdmin
590 Posts
ACCEPTED ANSWER

Pinned topic How to track which users are logged into WAS/WLE using auditing

‏2012-11-09T17:40:37Z |
Hello,

My client uses WLE 7.2 (running on WAS 7.0.0.25) and wants to know which users are logged into their applications. Their "applications" (say 5-10) are "Lombardi" process apps and this essentially means they are served up via a Web module in Teamworks.war (part of the WLE implementation that runs on top of WAS).

At a basic level they would like to know who is logged on / how many users are accessing the system. The users log into a login page (pretty much the standard Teamworks login page) (authenticate using LDAP) and are re-directed to a landing page process application.

1. Is there an API to retrieve security cache information? i.e. WAS has a backend security cache and the contents of which would be very useful to build such a page..

2. Is there an API to retrieve web session details ? (seems unlikely) i.e. accessing all of the sessions and the associated credentials would tell us who is using the system.

Other approaches I have considered to log the user activity direct:

A. Using a servlet filter and modifying the WLE EAR's (teamworks.war) so that every HTTP request is logged.

B. Creating an "audit service provider -> New third party emitter" to capture security events
Question - What 2 interfaces must be used for this? It appears undocumented...

C. Use existing security audit to binary file and report on this (undesirable as it will cause many large files distributed across nodes)..

In either of the approaches A&B, the data could be logged to a DB or dyna-cache (a map from userId to recent activity summary) might be more appropriate..

Any suggestions appreciated, Dave
  • kark
    kark
    26 Posts
    ACCEPTED ANSWER

    Re: How to track which users are logged into WAS/WLE using auditing

    ‏2012-11-12T23:25:06Z  in response to SystemAdmin
    Hi,

    There are no public APIs to get the cache information. Do not see how you can do 2) either.

    Are these the 2 interfaces for Audit are you referring to?

    http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frsec_sa_event_interface.html

    and

    http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frsec_sa_event_factory_interface.html

    Also, the Audit mechanism provides one to capture just the data that they are interested in (for eg. authentication only) to minimize the data captured.

    --Ajay
    • SystemAdmin
      SystemAdmin
      590 Posts
      ACCEPTED ANSWER

      Re: How to track which users are logged into WAS/WLE using auditing

      ‏2012-11-13T10:33:28Z  in response to kark
      Hi Ajay,

      Thanks for your response, much appreciated.

      I am looking at the page Configuring a third party audit service providers for security auditing

      Let's assume I want to create a third party audit service provider (not a binary file-based emitter) that uses JDBC to log certain events to a DB.

      When I choose Security auditing > Audit service provider > New third party emitter
      it asks for both:

      1. Third party emitter class name
      2. Event formatting module class name

      When I looked into audit.xml and the default Binary emitter (...runtime.jar), it implemented com.ibm.wsspi.security.audit.AuditServiceProvider

      So for 1. is the AuditServiceProvider interface what I need? Or the GenericEvent interface you suggested?

      For 2, I found no clues in audit.xml (as there is no third party provider defined).. but I presume the GenericEventFactory interface you suggested is the right one here? My sendEvent() would return true/false depending on if particular events will be handled?

      Assuming I author the correct classes, would I put the JAR into /lib ? Presume I'd need a server restart ;-)..

      Regards, Dave
      • kark
        kark
        26 Posts
        ACCEPTED ANSWER

        Re: How to track which users are logged into WAS/WLE using auditing

        ‏2012-11-13T23:26:38Z  in response to SystemAdmin
        Dave,

        I will confirm and get back on the usage of these soon.

        We recommend user implemented jars to be placed in the lib/ext directory. You will need a server restart after configuring your own implementation.

        --Ajay
        • SystemAdmin
          SystemAdmin
          590 Posts
          ACCEPTED ANSWER

          Re: How to track which users are logged into WAS/WLE using auditing

          ‏2013-01-06T18:09:36Z  in response to kark
          Thanks! I'll reply below...
      • emilyt
        emilyt
        2 Posts
        ACCEPTED ANSWER

        Re: How to track which users are logged into WAS/WLE using auditing

        ‏2012-11-16T16:13:48Z  in response to SystemAdmin
        Hi Dave,

        To answer your questions:

        So for 1. is the AuditServiceProvider interface what I need? Or the GenericEvent interface you suggested?

        >> You would need to implement the AuditServiceProvider interface and not the GenericEvent interface.

        For 2, I found no clues in audit.xml (as there is no third party provider defined).. but I presume the GenericEventFactory interface you suggested is the right one here? My sendEvent() would return true/false depending on if particular events will be handled?

        >> The GenericEventFactory interface is not correct. If you create a 3rd party emitter, you can split the "formatting" part of it off from the implementation of the emitter itself. The class implementing the formatting part of the data is what's specified here. It is not an implementation of any audit interface, but your own class.

        Hope that helps. If not, more than happy to provide some more guidance.

        Emily
        • SystemAdmin
          SystemAdmin
          590 Posts
          ACCEPTED ANSWER

          Re: How to track which users are logged into WAS/WLE using auditing

          ‏2013-01-06T18:24:32Z  in response to emilyt
          Hello,

          Thanks Ajay & Emily for your help.

          I implemented an Audit Service Provider (and an Audit Event Factory). Functionally it works well.

          However when I turn on AUTHN / SUCCESS response times for the application (AJAX services) increase from 0.2 to 4.7 seconds. To put this in context, the applications are built using WLE tooling and in particular I am talking about AJAX services defined within the programming model.

          These response times apply to empty services (so its really only WLE/WAS product code at play). There appeared to be a 4.5sec pause (no CPU usage) on each response. Note there's only one request happening a time, the server is idle.

          I did a stack trace (4.5 seconds plenty of time to grab one) and this is the issue: (I have removed many lines)

          at java/net/Inet4AddressImpl.getHostByAddr(Native Method)
          at java/net/InetAddress.getCanonicalHostName(InetAddress.java:517)
          com/ibm/ws/webcontainer/srt/SRTServletRequest.getRemoteHost(SRTServletRequest.java:671)
          at com/ibm/ws/security/audit/utils/AuditHelper.buildSessionData(AuditHelper.java:466)
          at com/ibm/ws/security/web/WebAuthenticator.validate(WebAuthenticator.java:3808)

          So it appears there is something peculiar about the client's network that causes a 4 sec delay trying to turn an IP into a hostname... Nslookup also times out for my IP address.

          Indeed, in standalone Java this*** takes 4 secs.
          i = Inet4Address.getByName(args[0]);
          i.getCanonicalHostName(); //***

          (This code path occurs when I use AUTHN / SUCCESS and configure my audit event factory, even if the audit event factory's sendEvent does nothing.)

          Any ideas? Is there any way to stop the audit framework from trying to do this? (it is totally unnecessary for us).

          Cheers, Dave
          • emilyt
            emilyt
            2 Posts
            ACCEPTED ANSWER

            Re: How to track which users are logged into WAS/WLE using auditing

            ‏2013-01-07T15:23:10Z  in response to SystemAdmin
            Is there any way to stop the audit framework from trying to do this? (it is totally unnecessary for us).

            Hi Dave,

            Are you asking if there is a way in the audit framework to not gather the remote host information, thus eliminating the 4.0+ sec delay? If yes, then no, there is no mechanism to say gather information bits for x (for example, user name), y (for example, resource name), but not z (for example, remote host id).

            What version of Java are you running with? While running stress testing with JDK 1.5 and 1.6, we are not seeing this delay, so am wondering if there is something specific to how your environment is set up (i.e, load balancers, etc??)

            Emily
            • SystemAdmin
              SystemAdmin
              590 Posts
              ACCEPTED ANSWER

              Re: How to track which users are logged into WAS/WLE using auditing

              ‏2013-01-18T12:39:24Z  in response to emilyt
              It seems specific to the client environment and is intermittent DNS issue for host lookups of dynamic IP's e.g. my laptop via VPN. I have since made an alternative solution by adding hooks into the WLE product JSP's. Thanks for the help.