Using the Logging SPIs
The Logging SPI are Java packages that can be used to develop plug-ins for customized features. The SPI are organized in the com.sun.identity.log.spi package. For more information, see the Sun Java System Access Manager 7.1 Java API Reference.
Log Verifier Plug-In
If secure logging is enabled, the log files are verified periodically to detect any attempt of tampering. If tampering is detected, the action taken can be customized by following the steps.
To Customize Actions to be Taken in Secure
Logging
-
Implement the com.sun.identity.log.spi.IVerifierOutput interface with the desired functionality.
-
Add the implementing class in the classpath of Access Manager.
-
Modify the property iplanet-am-logging-verifier-action-class in the /etc/opt/SUNWam/config/xml/amLogging.xml file with the name of the new class.
Log Authorization Plug-In
The Logging Service enables you to plug in a class that will determine whether a LogRecord is logged or discarded. The determination is based on the authorization of the owner of the session token performing the event.
Note –
The IAuthorizer interface accepts an SSOToken and the log record being written.
There are several ways to accomplish this. The following procedure is one example.
To Implement a Log Authorization Plug-In
-
Get the applicable role or DN of the user from the SSOToken and check it against a pre-configured (or hardcoded) list of roles or users that are allowed access.
The administrator must configure a role and assign all policy agents and entities such as applications that can possibly log into Access Manager and into this role.
-
Instantiate a PolicyEvaluator and call PolicyEvaluator.isAllowed(ssotoken, logname);.
To Instantiate a PolicyEvaluator
This entails defining a policy XML to model log access and registering it with Access Manager.
- © 2010, Oracle Corporation and/or its affiliates