History | Log In     View a printable version of the current page.  
Issue Details (XML | Word | Printable)

Key: QB-3566
Type: Improvement Improvement
Status: Open Open
Priority: Major Major
Assignee: Robin Shen
Reporter: Jedrzej Buraczewski
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.

Add more descriptive access logs

Created: 06/May/20 08:59 AM   Updated: 13/May/20 12:30 AM
Component/s: None
Affects Version/s: 10.0.11
Fix Version/s: None

Original Estimate: Unknown Remaining Estimate: Unknown Time Spent: Unknown

 Description  « Hide
After adding anonymous group to QB it starts to log following error for every REST call which requires authorization:
ERROR com.pmease.quickbuild.rest.providers.AccessDeniedExceptionMapper - Access denied when accessing restful service.

It wouldn't be as that bad but this event is registered before user have possibility to login.
It makes log file bigger than necessary and it's not descriptive as we still don't know who tried to login and what call was it.

My proposition:
a) move access logs to dedicated file other than quickbuild.log and console.log
b) add IP address and the URL which was tried to reach
c) decrease ERROR log level to INFO
d) optional: think if it possible to don't write info about accessing rest api when user logged successfully immediately

 All   Comments   Work Log   Change History      Sort Order:
Robin Shen [08/May/20 01:04 PM]
>> It wouldn't be as that bad but this event is registered before user have possibility to login.

Can you explain more about this? I tested with curl, and error is only logged when user does not have permission to access a resource. If access with appropriate user name/password, resource will be returned and no error is logged.

Jedrzej Buraczewski [12/May/20 01:32 PM]
We tried to enter some restricted resources via API using web browser in private mode (Opera/Chrome) and the "Access denied" entry was added immediately to the log at the same moment when user login prompt window shows.

It is highly possible that browser at first tries to login as anonymous and after fail it asks user about credentials. It explains why trying to reproduce this issue using curl is not possible, but we can't ask people to not use browser while accessing API.

Robin Shen [13/May/20 12:30 AM]
Thanks for the info. Yes, browser will try to login anonymously first. It is reasonable to log access denied as DEBUG message instead of ERROR. Will make it into next patch release.