Auditing Providers

Auditing is the process whereby information about operating requests and the outcome of those requests are collected, stored, and distributed for the purposes of non-repudiation. In WebLogic Server, an Auditing provider provides this electronic trail of computer activity.

The following sections describe Auditing provider concepts and functionality, and provide step-by-step instructions for developing a custom Auditing provider:

• Auditing Concepts
• Do You Need to Develop a Custom Auditing Provider?
• How to Develop a Custom Auditing Provider

Note: If you are looking for information about how to write out audit events from a custom security provider, see Auditing Events From Custom Security Providers.

 

---

Auditing Concepts

Before you develop an Auditing provider, you need to understand the following concepts:

• How Auditing Providers Work With the WebLogic Security Framework and Other Types of Security Providers
• Audit Channels

How Auditing Providers Work With the WebLogic Security Framework and Other Types of Security Providers

Figure 9-1 shows how Auditing providers interact with the WebLogic Security Framework and other types of security providers (using Authentication providers as an example). An explanation follows.

Figure 9-1 Auditing Providers, the WebLogic Security Framework, and Other Security Providers

 

Auditing providers interact with the WebLogic Security Framework and other types of security providers in the following manner:

Note: In Figure 9-1 and the explanation below, the "other types of security providers" are a WebLogic Authentication provider and a custom Authentication provider. However, these can be any type of security provider that is developed as described in Auditing Events From Custom Security Providers.

1. A resource container passes a user's authentication information (for example, a username/password combination) to the WebLogic Security Framework as part of a login request.
2. The WebLogic Security Framework passes the information associated with the login request to the configured Authentication providers.
3. If, in addition to providing authentication services, the Authentication providers are designed to post audit events, the Authentication providers will each:
   1. Instantiate an AuditEvent object. At minimum, the AuditEvent object includes information about the event type to be audited and an audit severity level.

   Note: An AuditEvent class is created by implementing either the AuditEvent SSPI or an AuditEvent convenience interface in the Authentication provider's runtime class, in addition to the other security service provider interfaces (SSPIs) the custom Authentication provider must already implement. For more information about Audit Events and the AuditEvent SSPI/convenience interfaces, see Create an Audit Event.

   2. Make a trusted call to the Auditor Service, passing in the AuditEvent object.

   Note: This is a trusted call because the Auditor Service is already passed to the security provider's initialize method as part of its "Provider" SSPI implementation. For more information, see Understand the Purpose of the "Provider" SSPIs.

4. The Auditor Service passes the AuditEvent object to the configured Auditing providers' runtime classes (that is, the AuditChannel SSPI implementations), enabling audit event recording.

   Note: Depending on the Authentication providers' implementations of the AuditEvent convenience interface, audit requests may occur both pre and post event, as well as just once for an event.

5. The Auditing providers' runtime classes use the event type, audit severity and other information (such as the Audit Context) obtained from the AuditEvent object to control audit record content. Typically, only one of the configured Auditing providers will meet all the criteria for auditing.

   Note: For more information about audit severity levels and the Audit Context, see Audit Severity and Audit Context, respectively.

6. When the criteria for auditing specified by the Authentication providers in their AuditEvent objects is met, the appropriate Auditing provider's runtime class (that is, the AuditChannel SSPI implementation) writes out audit records in the manner their implementation specifies.

   Note: Depending on the AuditChannel SSPI implementation, audit records may be written to a file, a database, or some other persistent storage medium when the criteria for auditing is met.

Audit Channels

An Audit Channel is the component of an Auditing provider that determines whether a security event should be audited, and performs the actual recording of audit information based on Quality of Service (QoS) policies.

Note: For more information about Audit Channels, see Implement the AuditChannel SSPI.

 

---

Do You Need to Develop a Custom Auditing Provider?

The default (that is, active) security realm for WebLogic Server includes a WebLogic Auditing provider. The WebLogic Auditing provider records information from a number of security requests, which are determined internally by the WebLogic Security Framework. The WebLogic Auditing provider also records the event data associated with these security requests, and the outcome of the requests.

The WebLogic Auditing provider makes an audit decision in its writeEvent method, based on the audit severity level it has been configured with and the audit severity contained within the AuditEvent object that is passed into the method. (For more information about AuditEvent objects, see Create an Audit Event.

Note: You can change the audit severity level that the WebLogic Auditing provider is configured with using the WebLogic Server Administration Console. For more information, see "Configuring a WebLogic Auditing Provider" in Managing WebLogic Security.

If there is a match, the WebLogic Auditing provider writes audit information to the DefaultAuditRecorder.log file, which is located in the bea_home\user_projects\domain directory (where bea_home represents the central support directory for all BEA products installed on one machine, and domain represents the name of a domain you create). Listing 9-1 is an excerpt from the DefaultAuditRecorder.log file.

Listing 9-1 DefaultAuditRecorder.log File: Sample Output

#### Audit Record Begin <Jun 12, 2002 4:55:21 PM> <Severity=INFORMATION>
<<<Event Type=RoleManager Audit Event><Subject:2 Principal=class
weblogic.security.principal.WLSUserImpl("installadministrator") Principal=class
weblogic.security.principal.WLSGroupImpl("Administrators")><<web>><type=<web>,
application=_appsdir_certificate_war, uri=certificate.war,
webResource=CertificateServlet, httpMethod=GET><>>> Audit Record End ####

Specifically, Listing 9-1 shows the Role Manager (a component in the WebLogic Security Framework that deals specifically with roles) recording an audit event to indicate that an authorized administrator has accessed a protected method in a certificate servlet.

Each time the WebLogic Server instance is booted, a new DefaultAuditRecorder.log file is created (the old DefaultAuditRecorder.log file is renamed to DefaultAuditRecorder.log.old).

If you want to write audit information in addition to that which is specified by the WebLogic Security Framework, or to an output repository that is not the DefaultAuditRecorder.log (that is, to a simple file with a different name/location or to an existing database), then you need to develop a custom Auditing provider.

 

---

How to Develop a Custom Auditing Provider

If the WebLogic Auditing provider does not meet your needs, you can develop a custom Auditing provider by following these steps:

1. Create Runtime Classes Using the Appropriate SSPIs
2. Generate an MBean Type Using the WebLogic MBeanMaker
3. Configure the Custom Auditing Provider Using the Administration Console

Create Runtime Classes Using the Appropriate SSPIs

Before you start creating runtime classes, you should first:

• Understand the Purpose of the "Provider" SSPIs
• Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes

When you understand this information and have made your design decisions, create the runtime classes for your custom Auditing provider by following these steps:

• Implement the AuditProvider SSPI
• Implement the AuditChannel SSPI

For an example of how to create a runtime class for a custom Auditing provider, see Example: Creating the Runtime Class for the Sample Auditing Provider.

Implement the AuditProvider SSPI

To implement the AuditProvider SSPI, provide implementations for the methods described in Understand the Purpose of the "Provider" SSPIs and the following method:

getAuditChannel

public AuditChannel getAuditChannel();

The getAuditChannel method obtains the implementation of the AuditChannel SSPI. For a single runtime class called MyAuditProviderImpl.java, the implementation of the getAuditChannel method would be:

return this;

If there are two runtime classes, then the implementation of the getAuditChannel method could be:

return new MyAuditChannelImpl;

This is because the runtime class that implements the AuditProvider SSPI is used as a factory to obtain classes that implement the AuditChannel SSPI.

For more information about the AuditProvider SSPI and the getAuditChannel method, see the WebLogic Server 7.0 API Reference Javadoc.

Implement the AuditChannel SSPI

To implement the AuditChannel SSPI, provide an implementation for the following method:

writeEvent

public void writeEvent(AuditEvent event)

The writeEvent method writes an audit record based on the information specified in the AuditEvent object that is passed in. For more information about AuditEvent objects, see Create an Audit Event.

For more information about the AuditChannel SSPI and the writeEvent method, see the WebLogic Server 7.0 API Reference Javadoc.

Example: Creating the Runtime Class for the Sample Auditing Provider

Listing 9-2 shows the SampleAuditProviderImpl.java class, which is the runtime class for the sample Auditing provider. This runtime class includes implementations for:

• The three methods inherited from the SecurityProvider interface: initialize, getDescription and shutdown (as described in Understand the Purpose of the "Provider" SSPIs.)
• The method inherited from the AuditProvider SSPI: the getAuditChannel method (as described in Implement the AuditProvider SSPI).
• The method in the AuditChannel SSPI: the writeEvent method (as described in Implement the AuditChannel SSPI).

Note: The bold face code in Listing 9-2 highlights the class declaration and the method signatures.

Listing 9-2 SampleAuditProviderImpl.java

package examples.security.providers.audit;

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import weblogic.management.security.ProviderMBean;
import weblogic.security.spi.AuditChannel;
import weblogic.security.spi.AuditEvent;
import weblogic.security.spi.AuditProvider;
import weblogic.security.spi.SecurityServices;

public final class SampleAuditProviderImpl implements AuditChannel, AuditProvider
{
   private String description;
   private PrintStream log;

   public void initialize(ProviderMBean mbean, SecurityServices services)
   {
      System.out.println("SampleAuditProviderImpl.initialize");

      description = mbean.getDescription() + "\n" + mbean.getVersion();

      SampleAuditorMBean myMBean = (SampleAuditorMBean)mbean;
      File file = new File(myMBean.getLogFileName());
      System.out.println("\tlogging to " + file.getAbsolutePath());

      try {
         log = new PrintStream(new FileOutputStream(file), true);
      } catch (IOException e) {
         throw new RuntimeException(e.toString());
      }
   }

   public String getDescription()
   {
      return description;
   }

   public void shutdown()
   {
      System.out.println("SampleAuditProviderImpl.shutdown");
      log.close();
   }

   public AuditChannel getAuditChannel()
   {
      return this;
   }

   public void writeEvent(AuditEvent event)
   {
      // Write the event out to the sample Auditing provider's log file using
      // the event's "toString" method.
      log.println(event);
   }
}

Generate an MBean Type Using the WebLogic MBeanMaker

Before you start generating an MBean type for your custom security provider, you should first:

• Understand Why You Need an MBean Type
• Determine Which SSPI MBeans to Extend and Implement
• Understand the Basic Elements of an MBean Definition File (MDF)
• Understand the SSPI MBean Hierarchy and How It Affects the Administration Console
• Understand What the WebLogic MBeanMaker Provides

When you understand this information and have made your design decisions, create the MBean type for your custom Auditing provider by following these steps:

1. Create an MBean Definition File (MDF)
2. Use the WebLogic MBeanMaker to Generate the MBean Type
3. Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
4. Install the MBean Type Into the WebLogic Server Environment

Notes: Several sample security providers (available under "Code Direct" on the dev2dev Web site) illustrate how to perform these steps.

All instructions provided in this section assume that you are working in a Windows environment.

Create an MBean Definition File (MDF)

To create an MBean Definition File (MDF), follow these steps:

1. Copy the MDF for the sample Auditing provider to a text file.

   Note: The MDF for the sample Auditing provider is called SampleAuditor.xml.

2. Modify the content of the <MBeanType> and <MBeanAttribute> elements in your MDF so that they are appropriate for your custom Auditing provider.
3. Add any custom attributes and operations (that is, additional <MBeanAttribute> and <MBeanOperation> elements) to your MDF.
4. Save the file.

Note: A complete reference of MDF element syntax is available in MBean Definition File (MDF) Element Syntax.

Use the WebLogic MBeanMaker to Generate the MBean Type

Once you create your MDF, you are ready to run it through the WebLogic MBeanMaker. The WebLogic MBeanMaker is currently a command-line utility that takes as its input an MDF, and outputs some intermediate Java files, including an MBean interface, an MBean implementation, and an associated MBean information file. Together, these intermediate files form the MBean type for your custom security provider.

The instructions for generating an MBean type differ based on the design of your custom Auditing provider. Follow the instructions that are appropriate to your situation:

• No Custom Operations
• Custom Operations

No Custom Operations

If the MDF for your custom Auditing provider does not include any custom operations, follow these steps:

1. Create a new DOS shell.
2. Type the following command:

   java -DMDF=xmlfile -DFiles=filesdir -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker

   where xmlFile is the MDF (the XML MBean Description File) and filesdir is the location where the WebLogic MBeanMaker will place the intermediate files for the MBean type.

   Whenever xmlfile is provided, a new set of output files is generated. If files already exist in the location specified by filesdir, you are informed that the existing files will be overwritten and are asked to confirm.

   Each time you use the -DcreateStubs=true flag, it overwrites any existing MBean implementation file.

   Note: The WebLogic MBeanMaker processes one MDF at a time. Therefore, you may have to repeat this process if you have multiple MDFs (in other words, multiple Auditing providers).

3. Proceed to Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF).

Custom Operations

If the MDF for your custom Auditing provider does include custom operations, consider the following:

• Are you creating an MBean type for the first time? If so, follow these steps:

1. Create a new DOS shell.
2. Type the following command:

   java -DMDF=xmlfile -DFiles=filesdir -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker

   where xmlFile is the MDF (the XML MBean Description File) and filesdir is the location where the WebLogic MBeanMaker will place the intermediate files for the MBean type.

   Whenever xmlfile is provided, a new set of output files is generated. If files already exist in the location specified by <filesdir>, you are informed that the existing files will be overwritten and are asked to confirm.

   Each time you use the -DcreateStubs=true flag, it overwrites any existing MBean implementation file.

   Note: The WebLogic MBeanMaker processes one MDF at a time. Therefore, you may have to repeat this process if you have multiple MDFs (in other words, multiple Auditing providers).

3. For any custom operations in your MDF, implement the methods using the method stubs.
4. Save the file.
5. Proceed to Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF).

• Are you updating an existing MBean type? If so, follow these steps:

1. Copy your existing MBean implementation file to a temporary directory so that your current method implementations are not overwritten by the WebLogic MBeanMaker.
2. Create a new DOS shell.
3. Type the following command:

   java -DMDF=xmlfile -DFiles=filesdir -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker

   where xmlFile is the MDF (the XML MBean Description File) and filesdir is the location where the WebLogic MBeanMaker will place the intermediate files for the MBean type.

   Whenever xmlfile is provided, a new set of output files is generated. If files already exist in the location specified by filesdir, you are informed that the existing files will be overwritten and are asked to confirm.

   Each time you use the -DcreateStubs=true flag, it overwrites any existing MBean implementation file.

   Note: The WebLogic MBeanMaker processes one MDF at a time. Therefore, you may have to repeat this process if you have multiple MDFs (in other words, multiple Auditing providers).

4. If you modified the MDF to include any custom operations that were not in the original MDF, implement the methods using the method stubs.
5. Save the version of the MBean implementation file that is complete (that is, has all methods implemented).
6. Copy this MBean implementation file into the directory where the WebLogic MBeanMaker placed the intermediate files for the MBean type. You specified this as filesdir in step 3. (You will be overriding the MBean implementation file generated by the WebLogic MBeanMaker as a result of step 3.)
7. Proceed to Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF).

About the Generated MBean Interface File

The MBean interface file is the client-side API to the MBean that your runtime class or your MBean implementation will use to obtain configuration data. It is typically used in the initialize method as described in Understand the Purpose of the "Provider" SSPIs.

Because the WebLogic MBeanMaker generates MBean types from the MDF you created, the generated MBean interface file will have the name of the MDF, plus the text "MBean" appended to it. For example, the result of running the SampleAuditor MDF through the WebLogic MBeanMaker will yield an MBean interface file called SampleAuditorMBean.java.

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Once your have run your MDF through the WebLogic MBeanMaker to generate your intermediate files, and you have edited the MBean implementation file to supply implementations for the appropriate methods within it, you need to package the MBean files and the runtime classes for the custom Auditing provider into an MBean JAR File (MJF). The WebLogic MBeanMaker also automates this process.

To create an MJF for your custom Auditing provider, follow these steps:

1. Create a new DOS shell.
2. Type the following command:

   java -DMJF=jarfile -DFiles=filesdir weblogic.management.commo.WebLogicMBeanMaker

   where jarfile is the name for the MJF and <filesdir> is the location where the WebLogic MBeanMaker looks for the files to JAR into the MJF.

   Compilation occurs at this point, so errors are possible. If jarfile is provided, and no errors occur, an MJF is created with the specified name.

Notes: If you want to update an existing MJF, simply delete the MJF and regenerate it. The WebLogic MBeanMaker also has a -DIncludeSource option, which controls whether source files are included into the resulting MJF. Source files include both the generated source and the MDF itself. The default is false. This option is ignored when -DMJF is not used.

The resulting MJF can be installed into your WebLogic Server environment, or distributed to your customers for installation into their WebLogic Server environments.

Install the MBean Type Into the WebLogic Server Environment

To install an MBean type into the WebLogic Server environment, copy the MJF into the WL_HOME\server\lib\mbeantypes directory, where WL_HOME is the top-level installation directory for WebLogic Server. This "deploys" your custom Auditing provider—that is, it makes the custom Auditing provider manageable from the WebLogic Server Administration Console.

You can create instances of the MBean type by configuring your custom Auditing provider (see Configure the Custom Auditing Provider Using the Administration Console), and then use those MBean instances from a GUI, from other Java code, or from APIs. For example, you can use the WebLogic Server Administration Console to get and set attributes and invoke operations, or you can develop other Java objects that instantiate MBeans and automatically respond to information that the MBeans supply. We recommend that you back up these MBean instances. For more information, see "Backing Up Security Configuration Data" under "Recovering Failed Servers" in Creating and Configuring WebLogic Server Domains.

Configure the Custom Auditing Provider Using the Administration Console

Configuring a custom Auditing provider means that you are adding the custom Auditing provider to your security realm, where it can be accessed by security providers requiring audit services.

Configuring custom security providers is an administrative task, but it is a task that may also be performed by developers of custom security providers. This section contains information that is important for the person configuring your custom Auditing providers:

• Configuring Audit Severity

Note: The steps for configuring a custom Auditing provider using the WebLogic Server Administration Console are described under "Configuring a Custom Security Provider" in Managing WebLogic Security.

Configuring Audit Severity

During the configuration process, an Auditing provider's audit severity must be set to one of the following severity levels:

• INFORMATION
• WARNING
• ERROR
• SUCCESS
• FAILURE

This severity represents the level at which the custom Auditing provider will initiate auditing.