Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7191

Add request/response logging for REST calls

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.14.0
    • Component/s: None
    • Labels:

      Description

      Most external protocols do info logging of request/response. Both for audit purposes, so customers can see when and from where requests come in, and for debugging purposes so we can see from customer logs if requests were actually received.

      Currently when making a simple REST call, nothing is logged, except that the Service control filter lets the request through.

      curl -X GET "https://localhost:8443/ejbca/ejbca-rest-api/v1/ca/CN=Management%20CA,O=EJBCA%20Sample,C=SE/certificate/download" --insecure --cert cert-superadmin.pem --key key-superadmin.pem

      only logs:

      2018-08-06 13:41:34,219 DEBUG [org.ejbca.util.ServiceControlFilter] (default task-57) Access to service REST Certificate Management is allowed. HTTP request https://localhost:8443/ejbca/ejbca-rest-api/v1/ca/CN=Ma
      nagement%20CA,O=PK-DM,C=AE/certificate/download is let through.

      We should add 2 things:

      1. basic request logging similar to CMP interface (see CMPServlet.java) for all REST calls (generic in a single place, is there such a place?).

       

      log.info(intres.getLocalizedMessage("cmp.receivedmsg", remoteAddr, alias));
      
      final long startTime = System.currentTimeMillis();
      
      ...
      
      final long endTime = System.currentTimeMillis();
      
      log.info(intres.getLocalizedMessage("cmp.sentresponsemsg", remoteAddr, Long.valueOf(endTime - startTime)));
      

       

      Example CMP request/response logs:

      2018-08-06 13:56:00,976 INFO [org.ejbca.ui.web.protocol.CmpServlet] (default task-67) CMP message received from: 127.0.0.1, for CMP alias: cmp 
      ... 
      2018-08-06 13:56:01,432 INFO [org.ejbca.ui.web.protocol.CmpServlet] (default task-67) Sent a CMP response to: 127.0.0.1, process time 456. 

      The logging should handle "X-Forwarded-For" header when logging the IP the request was received from. It should log both the remoteAddress as returned from java (which may be the proxy) and the  X-Forwarded-For value, if present.
      See OCSPServlet.processOcspRequest:
       

      final String remoteAddress = request.getRemoteAddr();
      final String xForwardedFor = StringTools.getCleanXForwardedFor(request.getHeader("X-Forwarded-For"));  

      and OcspResponseGeneratorSessionBean.getOcspResponse{{:}}
       

      if (xForwardedFor==null) {
       log.info(intres.getLocalizedMessage("ocsp.inforeceivedrequest", certId.getSerialNumber().toString(16), hash, remoteAddress));
       } else {
       log.info(intres.getLocalizedMessage("ocsp.inforeceivedrequestwxff", certId.getSerialNumber().toString(16), hash, remoteAddress, xForwardedFor));
       } 

       

      2. Ability to enable full debug logging of JSON request and response contents.This can be done either by TRACE logging, or as in SOAP WS where this is possible to add by configuration of JBoss (so JBoss logs it itself), which is an acceptable approach if it's not possible to add manually as TRACE logging.

      See WS Message Debugging in: https://download.primekey.se/docs/EJBCA-Enterprise/latest/Web_Service_Interface.html

      -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true

       

        Attachments

          Activity

            People

            • Assignee:
              tarmo_helmes Tarmo Raudsep
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Mike Agrenius Kushner, Tomas Gustavsson
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 day
                1d
                Remaining:
                Time Spent - 4 hours Remaining Estimate - 4 hours
                4h
                Logged:
                Time Spent - 4 hours Remaining Estimate - 4 hours
                4h