[OPENAM-14292] AM-LOGIN-COMPLETED does not log name of chain used for login Created: 22/Jan/19  Updated: 15/Jul/20  Resolved: 08/Jul/20

Status: Resolved
Project: OpenAM
Component/s: audit logging, authentication
Affects Version/s: None
Fix Version/s: 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Craig McDonnell Assignee: Gabor Melkvi
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix, Selected
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:


Bug description

The audit event "AM-LOGIN-COMPLETED" is logged to the authentication topic when an authentication chain completes. Unfortunately, it does not log the name of the chain used for login. Assuming that a chain was explicitly specified via a query parameter, this information is available in the http.request.queryParameters field of the associated access event (linked by having the same transactionId value).

Note. that the audit event "AM-TREE-LOGIN-COMPLETED" does not suffer from this issue. The name of the tree used for login is recorded as part of that event.

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Login to AM using an authentication chain
  2. Locate an "AM-LOGIN-COMPLETED" event
Expected behaviour
The event should report the chain which was used for login.
Current behaviour
The event does not report the chain which was used for login.

Work around


Code analysis

    private AuthenticationAuditEntry getAuditEntryDetail(String moduleName, LoginState loginState) {
        AuthenticationAuditEntry entryDetail = new AuthenticationAuditEntry();
        entryDetail.setModuleId(moduleName == null ? "" : moduleName);

        if (loginState != null) {
            String ip = loginState.getClient();
            if (isNotEmpty(ip)) {
                entryDetail.addInfo(IP_ADDRESS, ip);
            AuthContext.IndexType indexType = loginState.getIndexType();
            if (indexType != null) {
                entryDetail.addInfo(AUTH_INDEX, indexType.toString());
            entryDetail.addInfo(AUTH_LEVEL, String.valueOf(loginState.getAuthLevel()));

        return entryDetail;

The method getAuditEntryDetail logs the index type (e.g. "service") but does not log the index value (e.g. "ldapService"). Note that the code for logging index type actually only works when the index type was explicitly specified. When the index type is not specified (e.g. using default login service) then the index type is not reported.

Generated at Tue Nov 24 06:57:15 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.