I get the following WARN log entry from
org.apereo.cas.services.RegisteredServiceAccessStrategyUtils
WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] -
<Unauthorized Service Access. Service [defnotaservice] is not found in service
registry.>
I believe this is configured in log4j.xml with the following in <Loggers>
<AsyncLogger
name="org.apereo.cas.services.AbstractServicesManager" level="info"
includeLocation="true"/>
Hope that at least sets you on the correct path.
From: [email protected] <[email protected]> On Behalf Of Baron Fujimoto
Sent: Saturday, July 3, 2021 1:09 AM
To: CAS Community <[email protected]>
Subject: [EXTERNAL SENDER] [cas-user] CAS 5.0, 6.3 logging differences
Continuing our journey to upgrade from CAS 5.0 to 6.3, I have some questions re
logging differences I'm seeing.
Service not found in service registry
------------------------------------------------
With CAS 5.0, if a service was not registered, we see something like this
logged for an unauthorized service such as "https://www.foo.com":
WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - <Service Management:
missing service. Service [https://www.foo.com] is not found in service
registry.>
This is often very helpful for troubleshooting to be able to see what URL an
app is trying to use.
But with CAS6.3 we see:
ERROR
[org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter]
- <Service unauthorized>
org.apereo.cas.services.UnauthorizedServiceException: Service unauthorized
at
org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer.execute(RegisteredServiceAccessStrategyAuditableEnforcer.java:112)
~[cas-server-core-services-api-6.3.4.jar:6.3.4]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
~[tomcat-util.jar:9.0.46]
[...many many lines of stack trace...]
at java.lang.Thread.run(Thread.java:829) [?:?]
The unauthorized service is never identified, which removes a valuable
troubleshooting tool. Is there a way to include this information?
We definitely want to see things logged as ERRORs, but the stack trace seems
more appropriate for something at the DEBUG level?
Failed authentications
-----------------------------
With CAS 5.0, when a user authentication failed, we'd see something like the
following logged:
INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler failed authenticating USERNAME>
WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication has failed. Credentials may be incorrect or CAS cannot find
authentication handler that supports [USERNAME] of type
[UsernamePasswordCredential], which suggests a configuration problem.>
INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: USERNAME
WHAT: Supplied credentials: [USERNAME]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jul 02 17:06:00 HST 2021
CLIENT IP ADDRESS: 172.19.100.162
SERVER IP ADDRESS: 172.16.1.76
=============================================================
>
Whereas with CAS 6.3, we get:
INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[LdapAuthenticationHandler] exception details: [Invalid credentials].>
INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: USERNAME
WHAT: Supplied credentials: [UsernamePasswordCredential(username=USERNAME,
source=null, customFields={})]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jul 02 17:00:45 HST 2021
CLIENT IP ADDRESS: 10.17.133.2
SERVER IP ADDRESS: 10.17.133.14
=============================================================
>
WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <1 errors, 0 successes>
DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <1 errors, 0 successes>
org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes
at
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:340)
~[cas-server-core-authentication-api-6.3.4.jar:6.3.4]
[... ~200 more lines of stack trace ...]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
~[tomcat-util.jar:9.0.46]
at java.lang.Thread.run(Thread.java:829) [?:?]
This 200+ line stack trace seems like overkill and not really helpful. Is the
solution to this just not logging
org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver
at the debug level?
--
Baron Fujimoto <[email protected]<mailto:[email protected]>> :: UH Information
Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2uh%3DN49pLnAmEuPxjem_yMmbXkQpfcj9fE3%2Brkk-v8yA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2uh%3DN49pLnAmEuPxjem_yMmbXkQpfcj9fE3%2Brkk-v8yA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6699c8c32a7446bf8ffbd9f9d58093ec%40mun.ca.
