| << Back to previous view |
|
[QB-3566] Change access denied log level to trace to avoid cluttering log
|
|
| Status: | Resolved |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | 10.0.11 |
| Fix Version/s: | 10.0.16 |
| Type: | Improvement | Priority: | Major |
| Reporter: | Jedrzej Buraczewski | Assigned To: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Description |
|
After adding anonymous group to QB it starts to log following error for every REST call which requires authorization:
ERROR com.pmease.quickbuild.rest.providers.AccessDeniedExceptionMapper - Access denied when accessing restful service. It wouldn't be as that bad but this event is registered before user have possibility to login. It makes log file bigger than necessary and it's not descriptive as we still don't know who tried to login and what call was it. My proposition: a) move access logs to dedicated file other than quickbuild.log and console.log b) add IP address and the URL which was tried to reach c) decrease ERROR log level to INFO d) optional: think if it possible to don't write info about accessing rest api when user logged successfully immediately |
| Comments |
| Comment by Robin Shen [ 08/May/20 01:04 PM ] |
|
>> It wouldn't be as that bad but this event is registered before user have possibility to login.
Can you explain more about this? I tested with curl, and error is only logged when user does not have permission to access a resource. If access with appropriate user name/password, resource will be returned and no error is logged. |
| Comment by Jedrzej Buraczewski [ 12/May/20 01:32 PM ] |
|
We tried to enter some restricted resources via API using web browser in private mode (Opera/Chrome) and the "Access denied" entry was added immediately to the log at the same moment when user login prompt window shows.
It is highly possible that browser at first tries to login as anonymous and after fail it asks user about credentials. It explains why trying to reproduce this issue using curl is not possible, but we can't ask people to not use browser while accessing API. |
| Comment by Robin Shen [ 13/May/20 12:30 AM ] |
| Thanks for the info. Yes, browser will try to login anonymously first. It is reasonable to log access denied as DEBUG message instead of ERROR. Will make it into next patch release. |