Logging

Configuration of the log API is basically limited to producing a suitable log4j configuration. See log4j's documentation and the distributed examples for more information.

The only special case to consider is the access log. The logger's identifier will always the fully qualified path of the AccessLogger class itself. To isolate the access log it is therefore important to define the logger that catches the AccessLogger output before any other loggers catching output from the no.feide.moria hierarchy. Also, all logging from the AccessLogger is done at log4j level WARN, so to disable access logging define the log level at a higher level than this.

The format of the log-lines for the AccessLogger is the following: 

[Timestamp] "STATUS" "service principal" "userid" "incoming ticket" "outgoing ticket"

Example:
[2004-04-30 17:10:19,046] "BAD USER CREDENTIALS" "no.feide.test" "demo@feide.no" "235892791" "350215527"

The "STATUS" field can contain any of these messages:

  • BAD USER CREDENTIALS
  • BAD SERVICE CREDENTIALS
  • OPERATIONS NOT PERMITTED
  • ACCESS DENIED USERORG
  • ACCESS DENIED INITIATE AUTH
  • ACCESS DENIED DIRECT AUTH
  • ACCESS DENIED VERIFY USER EXISTENCE
  • ACCESS DENIED PROXY AUTH
  • SSO TICKET INVALIDATED
  • SUCCESSFUL VERIFY USER
  • SUCCESSFUL GET PROXY TICKET
  • SUCCESSFUL GET ATTRIBUTES
  • SUCCESSFUL AUTH INIT
  • SUCCESSFUL PROXY AUTHENTICATION
  • SUCCESSFUL DIRECT AUTHENTICATION
  • SUCCESSFUL INTERACTIVE AUTHENTICATION
  • SUCCESSFUL SSO AUTHENTICATION
  • PROXY TICKET GENERATION DENIED INVALID PRINCIPAL
  • PROXY TICKET GENERATION DENIED UNAUTHORIZED
  • PROXY AUTH DENIED UNCACHED ATTRIBUTES
  • INITIATE DENIED INVALID URL
  • NONEXISTENT TGT
  • INVALID TGT
  • NONEXISTENT PROXY TICKET
  • INVALID PROXY TICKET
  • NONEXISTENT SERVICE TICKET
  • INVALID SERVICE TICKET
  • NONEXISTENT LOGIN TICKET
  • INVALID LOGIN TICKET
  • NONEXISTENT SSO TICKET
  • INVALID SSO TICKET