技术分享 CAS单点登录 服务端配置 查看内容

cas入门之二十:cas审计日志Inspektr(下)

老高 | 发布于 2017-05-05 14:07| 浏览()| 评论() | 收藏() | 打印

摘要: 上篇主要介绍了Inspektr概况,那么cas应用是如何配置Inspektr审计的呢?

上篇主要介绍了Inspektr概况,那么cas应用是如何配置Inspektr审计的呢?cas的配置如下(在cas/WEB-INF/spring-configuration/auditTrailContext.xml这个文件中,参看cas入门之二spring配置文件):

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd">

<description>
Configuration file for the Inspektr package which handles auditing for Java
applications.
If enabled this should be modified to log audit and statistics
information the same way
your local applications do. The default is currently to log to the console
which is good
for debugging/testing purposes.
</description>

<aop:aspectj-autoproxy />

<bean id="auditTrailManagementAspect" class="com.github.inspektr.audit.AuditTrailManagementAspect">
	<!-- String applicationCode -->
	<constructor-arg index="0" value="CAS" />
	
	<!-- PrincipalResolver auditablePrincipalResolver -->
	<constructor-arg index="1" ref="auditablePrincipalResolver" />
	
	<!-- List<AuditTrailManager> auditTrailManagers -->
	<constructor-arg index="2">
		<list>
			<ref bean="auditTrailManager" />
		</list>
	</constructor-arg>
	
	<!-- Map<String,AuditActionResolver> auditActionResolverMap -->
	<constructor-arg index="3">
		<map>
			<entry key="AUTHENTICATION_RESOLVER">
			   <ref local="authenticationActionResolver" />
			</entry>
			<entry key="CREATE_TICKET_GRANTING_TICKET_RESOLVER">
			   <ref local="ticketCreationActionResolver" />
			</entry>
			<entry key="DESTROY_TICKET_GRANTING_TICKET_RESOLVER">
			   <bean
				   class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver" />
			</entry>
			<entry key="GRANT_SERVICE_TICKET_RESOLVER">
			   <ref local="ticketCreationActionResolver" />
			</entry>
			<entry key="GRANT_PROXY_GRANTING_TICKET_RESOLVER">
			   <ref local="ticketCreationActionResolver" />
			</entry>
			<entry key="VALIDATE_SERVICE_TICKET_RESOLVER">
			   <ref local="ticketValidationActionResolver" />
			</entry>
			<entry key="DELETE_SERVICE_ACTION_RESOLVER">
			   <ref local="deleteServiceActionResolver" />
			</entry>
			<entry key="SAVE_SERVICE_ACTION_RESOLVER">
			   <ref local="saveServiceActionResolver" />
			</entry>
		</map>
	</constructor-arg>
	
	<!-- Map<String,AuditResourceResolver> auditResourceResolverMap -->
	<constructor-arg index="4">
		<map>
			<entry key="AUTHENTICATION_RESOURCE_RESOLVER">
			<bean
			class="org.jasig.cas.audit.spi.CredentialsAsFirstParameterResourceResolver" />
			</entry>
			<entry key="CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER">
			<ref local="returnValueResourceResolver" />
			</entry>
			<entry key="DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER">
			<ref local="ticketResourceResolver" />
			</entry>
			<entry key="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER">
			<bean class="org.jasig.cas.audit.spi.ServiceResourceResolver" />
			</entry>
			<entry key="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER">
			<ref local="returnValueResourceResolver" />
			</entry>
			<entry key="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER">
			   <ref local="ticketResourceResolver" />
			</entry>
			<entry key="DELETE_SERVICE_RESOURCE_RESOLVER">
			   <ref local="deleteServiceResourceResolver" />
			</entry>
			<entry key="SAVE_SERVICE_RESOURCE_RESOLVER">
			   <ref local="saveServiceResourceResolver" />
			</entry>
		</map>
	</constructor-arg>
</bean>

<bean id="saveServiceResourceResolver"
class="com.github.inspektr.audit.spi.support.ParametersAsStringResourceResolver" />

<bean id="deleteServiceResourceResolver"
class="org.jasig.cas.audit.spi.ServiceManagementResourceResolver" />

<bean id="saveServiceActionResolver"
class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver">
<constructor-arg index="0" value="_SUCCEEDED" />
<constructor-arg index="1" value="_FAILED" />
</bean>

<bean id="deleteServiceActionResolver"
class="com.github.inspektr.audit.spi.support.ObjectCreationAuditActionResolver">
<constructor-arg index="0" value="_SUCCEEDED" />
<constructor-arg index="1" value="_FAILED" />
</bean>

<bean id="auditablePrincipalResolver"
class="org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver">
<constructor-arg index="0" ref="ticketRegistry" />
</bean>

<bean id="authenticationActionResolver"
class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver">
<!-- String successSuffix -->
<constructor-arg index="0" value="_SUCCESS" />
<!-- String failureSuffix -->
<constructor-arg index="1" value="_FAILED" />
</bean>

<bean id="ticketCreationActionResolver"
class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver">
<!-- String successSuffix -->
<constructor-arg index="0" value="_CREATED" />
<!-- String failureSuffix -->
<constructor-arg index="1" value="_NOT_CREATED" />
</bean>

<bean id="ticketValidationActionResolver"
class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver">
<!-- String successSuffix -->
<constructor-arg index="0" value="D" />
<!-- String failureSuffix -->
<constructor-arg index="1" value="_FAILED" />
</bean>

<bean id="returnValueResourceResolver"
class="com.github.inspektr.audit.spi.support.ReturnValueAsStringResourceResolver" />


<bean id="ticketResourceResolver"
class="org.jasig.cas.audit.spi.TicketAsFirstParameterResourceResolver" />
</beans>

而auditTrailManager 定义在cas/WEB-INF/deployerConfigContext.xml中

<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />;

在web.xml中配置了filter:

<filter>
    <filter-name>CAS Client Info Logging Filter</filter-name>
    <filter-class>com.github.inspektr.common.web.ClientInfoThreadLocalFilter</filter-class>
    <!-- 当 cas负载均衡时,配置如下参数,获取用户真实ip -->
    <init-param>
    <param-name>alternativeIpAddressHeader</param-name>
    <param-value>X-Forwarded-For</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CAS Client Info Logging Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

在源代码中定义审计点,如下所示

@Audit(action="SERVICE_TICKET",
       actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
       resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
public String grantServiceTicket(..)

这个从CentralAuthenticationServiceImpl类中截取的代码片段,也就是Inspektr通过audit注解来定义审计点;

默认情况下cas应用是将审计信息输出到应用的日志记录中,在cas/WEB-INF/classes/log4j.xml中可以看到

<logger name="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager">
    <level value="INFO" />
    <appender-ref ref="cas" />
</logger>

对于INFO级别的信息均有所输出,,至此Inspektr配置完毕。

如果需要将审计信息输出到数据库中进行如下配置,即替换auditTrailManager的相应bean:

<bean id="inspektrTransactionManager"
class="org.springframework.jdbc.datasource.DataSourceTransactionManager"
p:dataSource-ref="dataSource"/>

<bean id="inspektrTransactionTemplate"
class="org.springframework.transaction.support.TransactionTemplate"
p:transactionManager-ref="inspektrTransactionManager"
p:isolationLevelName="ISOLATION_READ_COMMITTED"
p:propagationBehaviorName="PROPAGATION_REQUIRED"/>

<bean id="auditTrailManager"
class="com.github.inspektr.audit.support.JdbcAuditTrailManager">
<constructor-arg index="0" ref="inspektrTransactionTemplate" />
<property name="dataSource" ref="dataSource" />
<property name="tableName" value="COM_AUDIT_TRAIL" /><!--这个表名是默认值,可以更改为其他的表名 -->
</bean>

其中dataSource自行定义,并且删除掉log4j.xml中的Slf4jLoggingAuditTrailManager日志输出logger。

需要的数据库表结构:

CREATE TABLE COM_AUDIT_TRAIL(
   AUD_USER      VARCHAR2(100) NOT NULL,
   AUD_CLIENT_IP VARCHAR(15)   NOT NULL,
   AUD_SERVER_IP VARCHAR(15)   NOT NULL,
   AUD_RESOURCE  VARCHAR2(100) NOT NULL,
   AUD_ACTION    VARCHAR2(100) NOT NULL,
   APPLIC_CD     VARCHAR2(5)   NOT NULL,
   AUD_DATE      TIMESTAMP     NOT NULL
);
ALTER TABLE COM_AUDIT_TRAIL
ADD CONSTRAINT COM_AUDIT_TRAIL_PK
PRIMARY KEY (
AUD_USER,
AUD_CLIENT_IP,
AUD_SERVER_IP,
AUD_RESOURCE,
AUD_ACTION,
APPLIC_CD,
AUD_DATE
) ENABLE;
 
CREATE INDEX COM_AUDIT_TRAIL_DATE_I
ON COM_AUDIT_TRAIL (AUD_DATE);
CREATE INDEX COM_AUDIT_TRAIL_CLIENT_DATE_I
ON COM_AUDIT_TRAIL (AUD_CLIENT_IP, AUD_DATE);
CREATE INDEX COM_AUDIT_TRAIL_USER_DATE_I
ON COM_AUDIT_TRAIL (AUD_USER, AUD_DATE);
CREATE INDEX COM_AUDIT_TRAIL_ACTION_DATE_I
ON COM_AUDIT_TRAIL (AUD_ACTION, AUD_DATE);

表名可以更改,但是里面的字段名不能更改,这个表是建在oracle数据库的。可以根据需要更改相应的字段属性,建在其他数据库中。


发表评论(对文章涉及的知识点还有疑问,可以在这里留言,老高看到后会及时回复的。)

表情
返回顶部