摘要: 上篇主要介绍了Inspektr概况,那么cas应用是如何配置Inspektr审计的呢?
上篇主要介绍了Inspektr概况,那么cas应用是如何配置Inspektr审计的呢?cas的配置如下(在cas/WEB-INF/spring-configuration/auditTrailContext.xml这个文件中,参看cas入门之二spring配置文件):
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd"> <description> Configuration file for the Inspektr package which handles auditing for Java applications. If enabled this should be modified to log audit and statistics information the same way your local applications do. The default is currently to log to the console which is good for debugging/testing purposes. </description> <aop:aspectj-autoproxy /> <bean id="auditTrailManagementAspect" class="com.github.inspektr.audit.AuditTrailManagementAspect"> <!-- String applicationCode --> <constructor-arg index="0" value="CAS" /> <!-- PrincipalResolver auditablePrincipalResolver --> <constructor-arg index="1" ref="auditablePrincipalResolver" /> <!-- List<AuditTrailManager> auditTrailManagers --> <constructor-arg index="2"> <list> <ref bean="auditTrailManager" /> </list> </constructor-arg> <!-- Map<String,AuditActionResolver> auditActionResolverMap --> <constructor-arg index="3"> <map> <entry key="AUTHENTICATION_RESOLVER"> <ref local="authenticationActionResolver" /> </entry> <entry key="CREATE_TICKET_GRANTING_TICKET_RESOLVER"> <ref local="ticketCreationActionResolver" /> </entry> <entry key="DESTROY_TICKET_GRANTING_TICKET_RESOLVER"> <bean class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver" /> </entry> <entry key="GRANT_SERVICE_TICKET_RESOLVER"> <ref local="ticketCreationActionResolver" /> </entry> <entry key="GRANT_PROXY_GRANTING_TICKET_RESOLVER"> <ref local="ticketCreationActionResolver" /> </entry> <entry key="VALIDATE_SERVICE_TICKET_RESOLVER"> <ref local="ticketValidationActionResolver" /> </entry> <entry key="DELETE_SERVICE_ACTION_RESOLVER"> <ref local="deleteServiceActionResolver" /> </entry> <entry key="SAVE_SERVICE_ACTION_RESOLVER"> <ref local="saveServiceActionResolver" /> </entry> </map> </constructor-arg> <!-- Map<String,AuditResourceResolver> auditResourceResolverMap --> <constructor-arg index="4"> <map> <entry key="AUTHENTICATION_RESOURCE_RESOLVER"> <bean class="org.jasig.cas.audit.spi.CredentialsAsFirstParameterResourceResolver" /> </entry> <entry key="CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER"> <ref local="returnValueResourceResolver" /> </entry> <entry key="DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER"> <ref local="ticketResourceResolver" /> </entry> <entry key="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER"> <bean class="org.jasig.cas.audit.spi.ServiceResourceResolver" /> </entry> <entry key="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER"> <ref local="returnValueResourceResolver" /> </entry> <entry key="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER"> <ref local="ticketResourceResolver" /> </entry> <entry key="DELETE_SERVICE_RESOURCE_RESOLVER"> <ref local="deleteServiceResourceResolver" /> </entry> <entry key="SAVE_SERVICE_RESOURCE_RESOLVER"> <ref local="saveServiceResourceResolver" /> </entry> </map> </constructor-arg> </bean> <bean id="saveServiceResourceResolver" class="com.github.inspektr.audit.spi.support.ParametersAsStringResourceResolver" /> <bean id="deleteServiceResourceResolver" class="org.jasig.cas.audit.spi.ServiceManagementResourceResolver" /> <bean id="saveServiceActionResolver" class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver"> <constructor-arg index="0" value="_SUCCEEDED" /> <constructor-arg index="1" value="_FAILED" /> </bean> <bean id="deleteServiceActionResolver" class="com.github.inspektr.audit.spi.support.ObjectCreationAuditActionResolver"> <constructor-arg index="0" value="_SUCCEEDED" /> <constructor-arg index="1" value="_FAILED" /> </bean> <bean id="auditablePrincipalResolver" class="org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver"> <constructor-arg index="0" ref="ticketRegistry" /> </bean> <bean id="authenticationActionResolver" class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver"> <!-- String successSuffix --> <constructor-arg index="0" value="_SUCCESS" /> <!-- String failureSuffix --> <constructor-arg index="1" value="_FAILED" /> </bean> <bean id="ticketCreationActionResolver" class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver"> <!-- String successSuffix --> <constructor-arg index="0" value="_CREATED" /> <!-- String failureSuffix --> <constructor-arg index="1" value="_NOT_CREATED" /> </bean> <bean id="ticketValidationActionResolver" class="com.github.inspektr.audit.spi.support.DefaultAuditActionResolver"> <!-- String successSuffix --> <constructor-arg index="0" value="D" /> <!-- String failureSuffix --> <constructor-arg index="1" value="_FAILED" /> </bean> <bean id="returnValueResourceResolver" class="com.github.inspektr.audit.spi.support.ReturnValueAsStringResourceResolver" /> <bean id="ticketResourceResolver" class="org.jasig.cas.audit.spi.TicketAsFirstParameterResourceResolver" /> </beans>
而auditTrailManager 定义在cas/WEB-INF/deployerConfigContext.xml中
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />;
在web.xml中配置了filter:
<filter> <filter-name>CAS Client Info Logging Filter</filter-name> <filter-class>com.github.inspektr.common.web.ClientInfoThreadLocalFilter</filter-class> <!-- 当 cas负载均衡时,配置如下参数,获取用户真实ip --> <init-param> <param-name>alternativeIpAddressHeader</param-name> <param-value>X-Forwarded-For</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Client Info Logging Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
在源代码中定义审计点,如下所示
@Audit(action="SERVICE_TICKET", actionResolverName="GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER") public String grantServiceTicket(..)
这个从CentralAuthenticationServiceImpl类中截取的代码片段,也就是Inspektr通过audit注解来定义审计点;
默认情况下cas应用是将审计信息输出到应用的日志记录中,在cas/WEB-INF/classes/log4j.xml中可以看到
<logger name="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager"> <level value="INFO" /> <appender-ref ref="cas" /> </logger>
对于INFO级别的信息均有所输出,,至此Inspektr配置完毕。
如果需要将审计信息输出到数据库中进行如下配置,即替换auditTrailManager的相应bean:
<bean id="inspektrTransactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager" p:dataSource-ref="dataSource"/> <bean id="inspektrTransactionTemplate" class="org.springframework.transaction.support.TransactionTemplate" p:transactionManager-ref="inspektrTransactionManager" p:isolationLevelName="ISOLATION_READ_COMMITTED" p:propagationBehaviorName="PROPAGATION_REQUIRED"/> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.JdbcAuditTrailManager"> <constructor-arg index="0" ref="inspektrTransactionTemplate" /> <property name="dataSource" ref="dataSource" /> <property name="tableName" value="COM_AUDIT_TRAIL" /><!--这个表名是默认值,可以更改为其他的表名 --> </bean>
其中dataSource自行定义,并且删除掉log4j.xml中的Slf4jLoggingAuditTrailManager日志输出logger。
需要的数据库表结构:
CREATE TABLE COM_AUDIT_TRAIL( AUD_USER VARCHAR2(100) NOT NULL, AUD_CLIENT_IP VARCHAR(15) NOT NULL, AUD_SERVER_IP VARCHAR(15) NOT NULL, AUD_RESOURCE VARCHAR2(100) NOT NULL, AUD_ACTION VARCHAR2(100) NOT NULL, APPLIC_CD VARCHAR2(5) NOT NULL, AUD_DATE TIMESTAMP NOT NULL ); ALTER TABLE COM_AUDIT_TRAIL ADD CONSTRAINT COM_AUDIT_TRAIL_PK PRIMARY KEY ( AUD_USER, AUD_CLIENT_IP, AUD_SERVER_IP, AUD_RESOURCE, AUD_ACTION, APPLIC_CD, AUD_DATE ) ENABLE; CREATE INDEX COM_AUDIT_TRAIL_DATE_I ON COM_AUDIT_TRAIL (AUD_DATE); CREATE INDEX COM_AUDIT_TRAIL_CLIENT_DATE_I ON COM_AUDIT_TRAIL (AUD_CLIENT_IP, AUD_DATE); CREATE INDEX COM_AUDIT_TRAIL_USER_DATE_I ON COM_AUDIT_TRAIL (AUD_USER, AUD_DATE); CREATE INDEX COM_AUDIT_TRAIL_ACTION_DATE_I ON COM_AUDIT_TRAIL (AUD_ACTION, AUD_DATE);
表名可以更改,但是里面的字段名不能更改,这个表是建在oracle数据库的。可以根据需要更改相应的字段属性,建在其他数据库中。
热点内容
发表评论(对文章涉及的知识点还有疑问,可以在这里留言,老高看到后会及时回复的。)