Continuing our journey to upgrade from CAS 5.0 to 6.3, I have some questions re logging differences I'm seeing.
Service not found in service registry ------------------------------------------------ With CAS 5.0, if a service was not registered, we see something like this logged for an unauthorized service such as "https://www.foo.com": WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - <Service Management: missing service. Service [https://www.foo.com] is not found in service registry.> This is often very helpful for troubleshooting to be able to see what URL an app is trying to use. But with CAS6.3 we see: ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Service unauthorized> org.apereo.cas.services.UnauthorizedServiceException: Service unauthorized at org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer.execute(RegisteredServiceAccessStrategyAuditableEnforcer.java:112) ~[cas-server-core-services-api-6.3.4.jar:6.3.4] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.46] [...many many lines of stack trace...] at java.lang.Thread.run(Thread.java:829) [?:?] The unauthorized service is never identified, which removes a valuable troubleshooting tool. Is there a way to include this information? We definitely want to see things logged as ERRORs, but the stack trace seems more appropriate for something at the DEBUG level? Failed authentications ----------------------------- With CAS 5.0, when a user authentication failed, we'd see something like the following logged: INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating USERNAME> WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [USERNAME] of type [UsernamePasswordCredential], which suggests a configuration problem.> INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: USERNAME WHAT: Supplied credentials: [USERNAME] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Fri Jul 02 17:06:00 HST 2021 CLIENT IP ADDRESS: 172.19.100.162 SERVER IP ADDRESS: 172.16.1.76 ============================================================= > Whereas with CAS 6.3, we get: INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Invalid credentials].> INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: USERNAME WHAT: Supplied credentials: [UsernamePasswordCredential(username=USERNAME, source=null, customFields={})] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Fri Jul 02 17:00:45 HST 2021 CLIENT IP ADDRESS: 10.17.133.2 SERVER IP ADDRESS: 10.17.133.14 ============================================================= > WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <1 errors, 0 successes> DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <1 errors, 0 successes> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:340) ~[cas-server-core-authentication-api-6.3.4.jar:6.3.4] [... ~200 more lines of stack trace ...] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.46] at java.lang.Thread.run(Thread.java:829) [?:?] This 200+ line stack trace seems like overkill and not really helpful. Is the solution to this just not logging org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver at the debug level? -- Baron Fujimoto <[email protected]> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2uh%3DN49pLnAmEuPxjem_yMmbXkQpfcj9fE3%2Brkk-v8yA%40mail.gmail.com.
