0

I'm trying to log some security information about an EJB based JEE application. Therefore I specifically want to log which method is called at what time and which user is trying to call it.

Currently I have simply written an Interceptor, injected the SessionContext and thus log via SessionContext.getCallerPrincipal() and InvocationContext.getMethod().

The problem is that I also want to log users trying to call methods they are not allowed to use. So if a method is only allowed via @RolesAllowed for the user group "Manager", but a user of the group "Employee" tries to call it, the interceptor logging method is never called, because the application server already restricts the business method call in the first place, so the logging method in my interceptor never gets triggered.

Is there any way to log such information including failed calls due to sucurity restrictions? These method calls out of someones permissions is actually the most interesting thing for me to log.

Thanks a lot for your time.

Akustiker
  • 35
  • 7
  • I am not sure, but the application server should log the error with a phrase like "user xyz not authorized for this invocation" have you checked that already ? – Leonardo Dec 16 '16 at 09:29
  • @Leonardo Ah, no I actually have not. My glassfish indeed logged smth. about a failed permission check. I guess this should suffice. Thank you, sir. – Akustiker Dec 16 '16 at 10:03

0 Answers0