Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7191

Add request/response logging for REST calls


    • Type: Improvement
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.14.0
    • Component/s: None
    • Labels:


      Most external protocols do info logging of request/response. Both for audit purposes, so customers can see when and from where requests come in, and for debugging purposes so we can see from customer logs if requests were actually received.

      Currently when making a simple REST call, nothing is logged, except that the Service control filter lets the request through.

      curl -X GET "https://localhost:8443/ejbca/ejbca-rest-api/v1/ca/CN=Management%20CA,O=EJBCA%20Sample,C=SE/certificate/download" --insecure --cert cert-superadmin.pem --key key-superadmin.pem

      only logs:

      2018-08-06 13:41:34,219 DEBUG [org.ejbca.util.ServiceControlFilter] (default task-57) Access to service REST Certificate Management is allowed. HTTP request https://localhost:8443/ejbca/ejbca-rest-api/v1/ca/CN=Ma
      nagement%20CA,O=PK-DM,C=AE/certificate/download is let through.

      We should add 2 things:

      1. basic request logging similar to CMP interface (see CMPServlet.java) for all REST calls (generic in a single place, is there such a place?).


      log.info(intres.getLocalizedMessage("cmp.receivedmsg", remoteAddr, alias));
      final long startTime = System.currentTimeMillis();
      final long endTime = System.currentTimeMillis();
      log.info(intres.getLocalizedMessage("cmp.sentresponsemsg", remoteAddr, Long.valueOf(endTime - startTime)));


      Example CMP request/response logs:

      2018-08-06 13:56:00,976 INFO [org.ejbca.ui.web.protocol.CmpServlet] (default task-67) CMP message received from:, for CMP alias: cmp 
      2018-08-06 13:56:01,432 INFO [org.ejbca.ui.web.protocol.CmpServlet] (default task-67) Sent a CMP response to:, process time 456. 

      The logging should handle "X-Forwarded-For" header when logging the IP the request was received from. It should log both the remoteAddress as returned from java (which may be the proxy) and the  X-Forwarded-For value, if present.
      See OCSPServlet.processOcspRequest:

      final String remoteAddress = request.getRemoteAddr();
      final String xForwardedFor = StringTools.getCleanXForwardedFor(request.getHeader("X-Forwarded-For"));  

      and OcspResponseGeneratorSessionBean.getOcspResponse{{:}}

      if (xForwardedFor==null) {
       log.info(intres.getLocalizedMessage("ocsp.inforeceivedrequest", certId.getSerialNumber().toString(16), hash, remoteAddress));
       } else {
       log.info(intres.getLocalizedMessage("ocsp.inforeceivedrequestwxff", certId.getSerialNumber().toString(16), hash, remoteAddress, xForwardedFor));


      2. Ability to enable full debug logging of JSON request and response contents.This can be done either by TRACE logging, or as in SOAP WS where this is possible to add by configuration of JBoss (so JBoss logs it itself), which is an acceptable approach if it's not possible to add manually as TRACE logging.

      See WS Message Debugging in: https://download.primekey.se/docs/EJBCA-Enterprise/latest/Web_Service_Interface.html






            • Assignee:
              tarmo_helmes Tarmo Raudsep
              tomas Tomas Gustavsson
              Verified by:
              Mike Agrenius Kushner, Tomas Gustavsson
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created:

                Time Tracking

                Original Estimate - 1 day
                Time Spent - 4 hours Remaining Estimate - 4 hours
                Time Spent - 4 hours Remaining Estimate - 4 hours