Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

displaying username in websphere access log - part 2

running WAS in Linux, authenticating using RACF to mainframe... but no user id in WAS access.log, just a '-'.  Any ideas how to get a userid in the log?

0
j9murphy
Asked:
j9murphy
  • 6
  • 3
1 Solution
 
Gary PattersonVP Technology / Senior Consultant Commented:
0
 
j9murphyAuthor Commented:
Saw that... but there is no real solution offered in this thread except for cookies, which the original poster pointed out wont work if the cookie is encrypted.  The author eventually closed the thread, saying the information was not available.  I'm am trying to find out if anyone has made this work.  BTW we are using form based authentication....

0
 
Gary PattersonVP Technology / Senior Consultant Commented:
The link above give you the alternatives for this particular log, which is generated by the HTTP server.  The HTTP server has very limited logging capabilities capabilities in this regard.  

If you're looking for ways to get user login or other security-related information OUTSIDE of the ACCESS LOG, you might want to consider rephrasing your question.

HTTP/HTTPS Access log

The user ID field in the access log, is populated by the web server application.  It only recognizes a user ID when it is specified in HTTP (or HTTPS, perhaps) authentication.  The HTTP protocol has authentication capabilities built into the protocol, and the web server knows where to look for the user ID when HTTP authentication is in use.

http://www.httpwatch.com/httpgallery/authentication/

Cookies

Under certain circumstances, you may be able to enable cookie logging, and then obtain user ID information from the access log (but not in the User ID field - it will be in the cookie field) provided that the user ID is stored in a cookie, the cookie is not encrypted, or the cookie is encrypted and you have the ability to decrypt the cookie.

Form-based authentication

If you use form-based authentication (and cookies are not used in conjunction to store user id's), then you are, in essence, providing "user-defined" authentication (at least from the web server application's perspective), and it then becomes your application's job to perform any logging that is needed, since the user name is contained in an application-defined form field that is not part of the HTTP authentication specification.

http://www.coderanch.com/t/74922/Websphere/Websphere-Security-Audit-log
http://www.ibm.com/developerworks/websphere/techjournal/0802_supauth/0802_supauth.html
http://www.redbooks.ibm.com/abstracts/tips0220.html?Open

WAS Security Auditing

Another alternative is to use Security Auditing.  Different versions of WAS also provide differing Security Auditing functionality that may be an alternate way for you to get the information you need.  Nice tutorials on WAS 7 Security and Security Auditing here at IBM Education Assistant:

http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?topic=/com.ibm.iea.was_v7/plugin_coverpage.html

And the main WAS 7 Information Center link for Security is here:

http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/welc6topsecuring.html

- Gary Patterson
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
j9murphyAuthor Commented:
I guess the take away here is that with form based authentication I'm on my own :) .. looks like the best thing to do is going to be to write my own log with the info rather than rely on the access log.

0
 
Gary PattersonVP Technology / Senior Consultant Commented:
Look at Websphere's excellent security auditing capabilities before you decide to implement auditing yourself.

- Gary
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
That's not very polite.  Especially, since that's exactly the answer I gave you in both 35477249 and 35478364.

- Gary
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
That's exactly the answer I gave in both 35477249 and 35478364.

- Gary
0
 
j9murphyAuthor Commented:
sheesh... just clicked the wrong 'accept' button.  should be fixed now.. someone just needs to clean up the extraneous noise.  don't get your underwear all in wad...lol

0
 
Gary PattersonVP Technology / Senior Consultant Commented:
No biggie.  People screw up closing questions all the time, so you aren't alone.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now