diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2017-11-29 15:22:35 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-11-29 15:22:35 +0100 |
commit | aca317fce93ddb796e7cbc38468d92719c85f28c (patch) | |
tree | 39d857e3cbe2a83e3ee99291b774c6eccdd096e5 | |
parent | fc8f7f3dcfc8b69a84ccd5657de8c0bdde5f9f3f (diff) | |
parent | 450e951718633ec57fcae7a2449f6db23a527545 (diff) |
Merge pull request #4307 from vespa-engine/bjorncs/ssl-details-access-log
Bjorncs/ssl details access log
5 files changed, 29 insertions, 5 deletions
diff --git a/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java b/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java index 9120c747293..24078151d64 100644 --- a/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java +++ b/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java @@ -4,6 +4,7 @@ package com.yahoo.container.logging; import com.yahoo.collections.ListMap; import org.apache.commons.lang.builder.ReflectionToStringBuilder; +import javax.security.auth.x500.X500Principal; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.URI; @@ -94,6 +95,7 @@ public class AccessLogEntry { private String scheme; private int localPort; private Principal principal; + private X500Principal sslPrincipal; private ListMap<String,String> keyValues=null; @@ -724,6 +726,19 @@ public class AccessLogEntry { } } + public Principal getSslPrincipal() { + synchronized (monitor) { + return sslPrincipal; + } + } + + public void setSslPrincipal(X500Principal sslPrincipal) { + synchronized (monitor) { + requireNull(this.sslPrincipal); + this.sslPrincipal = sslPrincipal; + } + } + @Override public String toString() { synchronized (monitor) { diff --git a/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java b/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java index cca8da2e936..a8be7c5ed13 100644 --- a/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java +++ b/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java @@ -65,10 +65,12 @@ public class JSONFormatter { Principal principal = accessLogEntry.getUserPrincipal(); if (principal != null) { - generator.writeObjectFieldStart("user-principal"); - generator.writeStringField("name", principal.getName()); - generator.writeStringField("type", principal.getClass().getName()); - generator.writeEndObject(); + generator.writeStringField("user-principal", principal.getName()); + } + + Principal sslPrincipal = accessLogEntry.getSslPrincipal(); + if (sslPrincipal != null) { + generator.writeStringField("ssl-principal", principal.getName()); } // Only add remote address/port fields if relevant diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java index c3c83474e56..771e57b0437 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java @@ -19,6 +19,7 @@ import java.net.URISyntaxException; import java.net.URLDecoder; import java.nio.charset.StandardCharsets; import java.security.Principal; +import java.security.cert.X509Certificate; import java.util.Optional; import java.util.logging.Level; import java.util.logging.Logger; @@ -115,6 +116,10 @@ public class AccessLogRequestLog extends AbstractLifeCycle implements RequestLog if (principal != null) { accessLogEntry.setUserPrincipal(principal); } + X509Certificate[] clientCert = (X509Certificate[]) request.getAttribute(ServletRequest.JDISC_REQUEST_X509CERT); + if (clientCert != null && clientCert.length > 0) { + accessLogEntry.setSslPrincipal(clientCert[0].getSubjectX500Principal()); + } } private static String getRemoteAddress(final HttpServletRequest request) { diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java index 714d75f9d1e..a005ea7d96e 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java @@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.jdisc.Response; import com.yahoo.jdisc.http.HttpRequest; +import com.yahoo.jdisc.http.servlet.ServletRequest; import com.yahoo.jdisc.service.CurrentContainer; import javax.servlet.http.HttpServletRequest; @@ -27,7 +28,7 @@ class HttpRequestFactory { HttpRequest.Version.fromString(servletRequest.getProtocol()), new InetSocketAddress(servletRequest.getRemoteAddr(), servletRequest.getRemotePort()), getConnection(servletRequest).getCreatedTimeStamp()); - httpRequest.context().put("jdisc.request.X509Certificate", getCertChain(servletRequest)); + httpRequest.context().put(ServletRequest.JDISC_REQUEST_X509CERT, getCertChain(servletRequest)); return httpRequest; } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java index db8780b087c..ea36237bc45 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java @@ -38,6 +38,7 @@ import static com.yahoo.jdisc.http.core.HttpServletRequestUtils.getConnection; */ public class ServletRequest extends HttpServletRequestWrapper implements ServletOrJdiscHttpRequest { public static final String JDISC_REQUEST_PRINCIPAL = "jdisc.request.principal"; + public static final String JDISC_REQUEST_X509CERT = "jdisc.request.X509Certificate"; private final HttpServletRequest request; private final HeaderFields headerFields; |