Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
In case of failed plain text connection, we get:
2011-08-29 09:21:26,936 connected: local:/192.168.183.22:6123, remote:/192.168.208.50:44390
2011-08-29 09:21:26,947 STOMP connection '/192.168.208.50:44390' error: Connect not authorized. Username=monitor
2011-08-29 09:21:26,951 disconnected: local:/192.168.183.22:6123, remote:/192.168.208.50:44390
But in case of failed X.509 connection, we only get:
2011-08-29 09:21:42,961 connected: local:/192.168.183.22:6133, remote:/192.168.208.50:33530
2011-08-29 09:21:43,009 STOMP connection '/192.168.208.50:33530' error: Connect not authorized.
2011-08-29 09:21:43,011 disconnected: local:/192.168.183.22:6133, remote:/192.168.208.50:33530
Would it be possible to also log the DN that failed to authenticate?
More generally, in case of authorization failure, we get minimal
information:
2011-08-29 09:36:42,061 connected: local:/192.168.183.22:6133, remote:/192.168.208.50:49343
2011-08-29 09:36:42,214 STOMP connection '/192.168.208.50:49343' error: Not authorized to receive from the destination.
2011-08-29 09:36:42,217 disconnected: local:/192.168.183.22:6133, remote:/192.168.208.50:49343
Would it be possible to log more and include the identity (ideally, a
list of pairs of principal kind + value) and the destination (probably
as a pair of kind + name)?
This extra information would greatly help creating and testing authorization rules as per APLO-56...