Inspektr audit says AUTHENTICATION_SUCCESS on authentication failures

[Oscar del Pozo]

There is a bug in the module inspektr-audit-1.7.1.GA when an Exception is thrown on an authentication process that ends logging the authentication as successfully:

Logs:

2018-01-23 11:18:18,583 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=<null>]] of type [ClientCredential].>
2018-01-23 11:18:57,038 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: null
WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=<null>]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 23 11:18:57 CET 2018
CLIENT IP ADDRESS: 192.168.56.1
SERVER IP ADDRESS: 192.168.56.1
=============================================================

The bug is located at org.apereo.inspektr.audit.AuditTrailManagementAspect@handleAuditTrail(final ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable:

@Around(value = "@annotation(audit)", argNames = "audit")

    public Object handleAuditTrail(final ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable {

        final AuditActionResolver auditActionResolver = this.auditActionResolvers.get(audit.actionResolverName());

        final AuditResourceResolver auditResourceResolver = this.auditResourceResolvers.get(audit.resourceResolverName());

        String currentPrincipal = null;

        String[] auditResource = new String[]{null};

        String action = null;

        Object retVal = null;

        try {

            retVal = joinPoint.proceed();

            currentPrincipal = this.auditPrincipalResolver.resolveFrom(joinPoint, retVal);

            auditResource = auditResourceResolver.resolveFrom(joinPoint, retVal);

            action = auditActionResolver.resolveFrom(joinPoint, retVal, audit);

            return retVal;

        } catch (final Throwable e) {

            currentPrincipal = this.auditPrincipalResolver.resolveFrom(joinPoint, e);

            auditResource = auditResourceResolver.resolveFrom(joinPoint, e);

            action = auditActionResolver.resolveFrom(joinPoint, e, audit);

            throw e;

        } finally {

            executeAuditCode(currentPrincipal, auditResource, joinPoint, retVal, action, audit);

        }

    }

The problem here is that the auditActionResolver has two methods:

String resolveFrom(JoinPoint auditableTarget, Object retval, Audit audit);

String resolveFrom(JoinPoint auditableTarget, Exception exception, Audit audit);

When we try to invoke the second one, we have to cast the exception e to do not enter in the first method, where the success suffix will be applied to the audit log.

To fix this, the catch block  should be

        } catch (final Throwable e) {

            currentPrincipal = this.auditPrincipalResolver.resolveFrom(joinPoint, e);

            auditResource = auditResourceResolver.resolveFrom(joinPoint, e);

            action = auditActionResolver.resolveFrom(joinPoint, (Exception) e, audit);

            throw e;

        }

I would make a pull-request, but I haven't found the source code at github.

[Dmitriy Kopylenko]

https://github.com/apereo/inspektr

D.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/019cf236-26be-4c3d-97e6-0bb731b8217e%40apereo.org.

[Oscar del Pozo]

Thanks!

[Olivier]

Has this already been fixed in the CAS release 5.2.3 ?

[Satnam Sarai]

I noticing same thing in 5.2.3.