Access auditing
37 views
Skip to first unread message
Jean-Marc Tanguay
Jul 18, 2020, 3:57:56 PM7/18/20
to H2 Database
For security purposes, I need to configure the access.log of the H2 Database. The security team want to see the remote IP and the username used to access the database :(...
We added to the project the logback-access module but the username is always null in the access.log file or in the Tomcat access log.
Here is a way to show the username in the access.log file?
The goal will be to forward the logs to the stdout. That way, the auditing tool will received the logs through the journalctl.
Thanks.
We added to the project the logback-access module but the username is always null in the access.log file or in the Tomcat access log.
Here is a way to show the username in the access.log file?
The goal will be to forward the logs to the stdout. That way, the auditing tool will received the logs through the journalctl.
Thanks.
Evgenij Ryazanov
Jul 19, 2020, 11:19:45 AM7/19/20
to H2 Database
Hello.
Users of application server and users of database are not related in any way.
If you use H2 Console servlet in production server, you must add a security constraint for it, otherwise you can create a security hole in your system, especially if you use some old version of H2. It looks like you didn't add it.
Sample configuration is here, scroll it down to “Using the H2 Console Servlet” section:
https://h2database.com/html/tutorial.html#web_applications
Users of application server and users of database are not related in any way.
If you use H2 Console servlet in production server, you must add a security constraint for it, otherwise you can create a security hole in your system, especially if you use some old version of H2. It looks like you didn't add it.
Sample configuration is here, scroll it down to “Using the H2 Console Servlet” section:
https://h2database.com/html/tutorial.html#web_applications
In this configuration you can specify role name to restrict access to users with the specified role.
In Apache Tomcat with default settings you can add users to tomcat-users.xml, but you can have some other source of users on your server if you configured it.
With such security constraint browsers will ask users for username and password.
These users can be logged to journal of web server.
After authorization to application server users will need to login again into database itself by providing JDBC URL, username, and password. Web server knows nothing about this procedure and can't log its details.
Jean-Marc Tanguay
Jul 19, 2020, 8:27:40 PM7/19/20
to H2 Database
In my case, my application do not have any interface. It's only crushing some data and storing the intermediate values in a memory H2 database. I'm only using the h2-console default web page for debugging purposes...
So basically, one way would be to create a secure server page with AD authentication and based on the user privileges, automatically open the jdbc URL with the right credentials.
Reply all
Reply to author
Forward
0 new messages