Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14292

AM-LOGIN-COMPLETED does not log name of chain used for login



      Bug description

      The audit event "AM-LOGIN-COMPLETED" is logged to the authentication topic when an authentication chain completes. Unfortunately, it does not log the name of the chain used for login. Assuming that a chain was explicitly specified via a query parameter, this information is available in the http.request.queryParameters field of the associated access event (linked by having the same transactionId value).

      Note. that the audit event "AM-TREE-LOGIN-COMPLETED" does not suffer from this issue. The name of the tree used for login is recorded as part of that event.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Login to AM using an authentication chain
      2. Locate an "AM-LOGIN-COMPLETED" event
      Expected behaviour
      The event should report the chain which was used for login.
      Current behaviour
      The event does not report the chain which was used for login.

      Work around


      Code analysis

          private AuthenticationAuditEntry getAuditEntryDetail(String moduleName, LoginState loginState) {
              AuthenticationAuditEntry entryDetail = new AuthenticationAuditEntry();
              entryDetail.setModuleId(moduleName == null ? "" : moduleName);
              if (loginState != null) {
                  String ip = loginState.getClient();
                  if (isNotEmpty(ip)) {
                      entryDetail.addInfo(IP_ADDRESS, ip);
                  AuthContext.IndexType indexType = loginState.getIndexType();
                  if (indexType != null) {
                      entryDetail.addInfo(AUTH_INDEX, indexType.toString());
                  entryDetail.addInfo(AUTH_LEVEL, String.valueOf(loginState.getAuthLevel()));
              return entryDetail;

      The method getAuditEntryDetail logs the index type (e.g. "service") but does not log the index value (e.g. "ldapService"). Note that the code for logging index type actually only works when the index type was explicitly specified. When the index type is not specified (e.g. using default login service) then the index type is not reported.




            • Assignee:
              gabor.melkvi Gabor Melkvi
              craig.mcdonnell Craig McDonnell
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: