Hi List,
We are experimenting here with the LDAP authentication provider against
the Windows Active Directory. All works fine!!
It is easy to ask for authorisation for a layer, and giving access via
'groups' instead of individual users is a nice thing.
BUT we also want to see in either Tomcat or Geoserver log files WHO is
asking for certain layers. So we want to log the username.
It's only internal use, so it's not even over https, so I can see the
base64 username:password headers going over the line.
But whatever I try (custom Valves for Tomcat) different log formats for
the (Apache) reverse proxy, I keep getting "- -" in logs instead of
seeing the username.
So Question: is it possible to let Geoserver/Tomcat/Apache log the
username somewhere? I did a lot of googling, and found a lot of
'answers', but nothing works in my situation.
Any hint/clue?
Anybody is able to log usernames?
Regards,
Richard Duivenvoorde
PS I'm pretty sure I asked something like this some years ago, and think
that Andrea answered something along the lines "difficult", but I cannot
find that Q/A anymore.
PS2 I think for governmental organisations in EU it will be more and
more important to be able to hand over clear logs in case of privacy
breaches nowadays. Usernames are an important part in that case.
Hi Richard
I log the HTTP header Authorization in Tomcat/HAProxy/Apache and this will give you the base64 username:password that you see in WireShark, etc.:
Tomcat/Apache: "%{Authorization}i"
HAProxy:
capture request header Authorization len 50
log-format “… %{+Q}hrl …”
I’m not sure how to base64 decode automatically, so I just leave it encoded, which is good enough for differentiating per username.
Regards
Peter
On Thu, 13 Sep 2018 at 09:55, Richard Duivenvoorde <rdmailings@anonymised.com> wrote:
Hi List,
We are experimenting here with the LDAP authentication provider against
the Windows Active Directory. All works fine!!
It is easy to ask for authorisation for a layer, and giving access via
‘groups’ instead of individual users is a nice thing.
BUT we also want to see in either Tomcat or Geoserver log files WHO is
asking for certain layers. So we want to log the username.
It’s only internal use, so it’s not even over https, so I can see the
base64 username:password headers going over the line.
But whatever I try (custom Valves for Tomcat) different log formats for
the (Apache) reverse proxy, I keep getting “- -” in logs instead of
seeing the username.
So Question: is it possible to let Geoserver/Tomcat/Apache log the
username somewhere? I did a lot of googling, and found a lot of
‘answers’, but nothing works in my situation.
Any hint/clue?
Anybody is able to log usernames?
Regards,
Richard Duivenvoorde
PS I’m pretty sure I asked something like this some years ago, and think
that Andrea answered something along the lines “difficult”, but I cannot
find that Q/A anymore.
PS2 I think for governmental organisations in EU it will be more and
more important to be able to hand over clear logs in case of privacy
breaches nowadays. Usernames are an important part in that case.
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Hi Richard
I log the HTTP header Authorization in Tomcat/HAProxy/Apache and this will give you the base64 username:password that you see in WireShark, etc.:
Tomcat/Apache: "%{Authorization}i"
HAProxy:
capture request header Authorization len 50
log-format “… %{+Q}hrl …”
I’m not sure how to base64 decode automatically, so I just leave it encoded, which is good enough for differentiating per username.
Regards
Peter
On Thu, 13 Sep 2018 at 09:55, Richard Duivenvoorde <rdmailings@anonymised.com> wrote:
Hi List,
We are experimenting here with the LDAP authentication provider against
the Windows Active Directory. All works fine!!
It is easy to ask for authorisation for a layer, and giving access via
‘groups’ instead of individual users is a nice thing.
BUT we also want to see in either Tomcat or Geoserver log files WHO is
asking for certain layers. So we want to log the username.
It’s only internal use, so it’s not even over https, so I can see the
base64 username:password headers going over the line.
But whatever I try (custom Valves for Tomcat) different log formats for
the (Apache) reverse proxy, I keep getting “- -” in logs instead of
seeing the username.
So Question: is it possible to let Geoserver/Tomcat/Apache log the
username somewhere? I did a lot of googling, and found a lot of
‘answers’, but nothing works in my situation.
Any hint/clue?
Anybody is able to log usernames?
Regards,
Richard Duivenvoorde
PS I’m pretty sure I asked something like this some years ago, and think
that Andrea answered something along the lines “difficult”, but I cannot
find that Q/A anymore.
PS2 I think for governmental organisations in EU it will be more and
more important to be able to hand over clear logs in case of privacy
breaches nowadays. Usernames are an important part in that case.
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
On 09/13/2018 11:48 AM, Peter Smythe wrote:
Hi Richard
I log the HTTP header Authorization in Tomcat/HAProxy/Apache and this
will give you the base64 username:password that you see in WireShark, etc.:
Tomcat/Apache: "%{Authorization}i"
HAProxy:
capture request header Authorization len 50
log-format "... %{+Q}hrl ..."
I'm not sure how to base64 decode automatically, so I just leave it
encoded, which is good enough for differentiating per username.
Hi Peter,
Thanks, yes that is what I came up finally, just after I sent the email.
But security-wise I cannot do that, in our case the Windows passwords
will be in all logs (Base64 encoded, but that is one line of grep away
from harvesting all username/passwords 
) .
So decoding/splitting on the fly would be ok. But even better would be
if Geoserver hands it over to the logs.
Regards,
Richard
Hi Richard,
did you try using the monitoring module, in “audit” mode? It will logs all sorts of details about the requests
you’re getting, regardless if they are post or get, including the username (but I don’t know if it works
fine with LDAP auth).
See:
http://docs.geoserver.org/latest/en/user/extensions/monitoring/index.html
https://geoserver.geo-solutions.it/edu/en/adv_gsconfig/monitoring.html
Cheers
Andrea
···
Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
On 09/13/2018 04:15 PM, Andrea Aime wrote:
Hi Richard,
did you try using the monitoring module, in "audit" mode? It will logs
all sorts of details about the requests
you're getting, regardless if they are post or get, including the
username (but I don't know if it works
fine with LDAP auth).
See:
http://docs.geoserver.org/latest/en/user/extensions/monitoring/index.html
https://geoserver.geo-solutions.it/edu/en/adv_gsconfig/monitoring.html
Hi Andrea,
Thanks!
Mmm, I thought I was'nt able to download the monitoring-module earlier?
Or that is was discontintued? I had it working in 2.12, but not in 2.13
anymore. Now I see it is still there.
Will have a look next week and report back.
Regards,
Richard