[Bug 63493] New: enhancement - add JMX counters to monitor authentication and authorization

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63493] New: enhancement - add JMX counters to monitor authentication and authorization

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63493

            Bug ID: 63493
           Summary: enhancement - add JMX counters to monitor
                    authentication and authorization
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: -----

As security monitoring becomes more professional (use of SIEM platforms) I
would like to give Tomcat some useful output.

We can easily monitor the authentication (success vs failure), and the
authorization (403 codes for any reason - after several authentication
failures, restricted system permissions, wrong client certificate,..)

This data could be exported as counters through JMX : number of succeeded
authentications, number of failed authentications, number denied
authorizations. It's up to the monitoring tool to compare with the total
traffic if it wants to have percentage values or guess if an attack in ongoing,
and it can achieve this with the help of other counters already implemented
(number of requests).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63493] enhancement - add JMX counters to monitor authentication and authorization

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63493

Eugène Adell <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63493] enhancement - add JMX counters to monitor authentication and authorization

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63493

--- Comment #1 from Eugène Adell <[hidden email]> ---
Created attachment 36618
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36618&action=edit
adds authorizationDeniedCount at the GlobalRequestProcessor level

denied authorization counter, checks 403 return codes

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63493] enhancement - add JMX counters to monitor authentication and authorization

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63493

--- Comment #2 from Eugène Adell <[hidden email]> ---
Created attachment 36619
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36619&action=edit
adds authentications counters at the Realm level

this is for DataSourceRealm, other realms should probably be modified the same
way

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63493] enhancement - add JMX counters to monitor authentication and authorization

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63493

--- Comment #3 from Christopher Schultz <[hidden email]> ---
The patch isn't high-load-safe because the counters are vanilla ints and you
use ++ for increment.

I think you'd at least need to use AtomicInt. You might want to consider
AtomicLong... those counters might get pretty high.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63493] enhancement - add JMX counters to monitor authentication and authorization

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63493

Eugène Adell <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #36619|0                           |1
        is obsolete|                            |

--- Comment #4 from Eugène Adell <[hidden email]> ---
Created attachment 37334
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37334&action=edit
adds authentications counters at the Realm level, version 2

Convert int to AtomicInteger for my 2 counters, update descriptors to use
9.0.36 instead of 9.0.20 which was different

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63493] enhancement - add JMX counters to monitor authentication and authorization

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63493

--- Comment #5 from Eugène Adell <[hidden email]> ---
Thanks for looking Chris,

GlobalRequestProcessor :
The counters are no different from those already existing, and authentication
denials could not logically go higher than errorCount which is an int (on
version 9.0 at least)
I can change this, but this would not be consistent.


Realm :
The counters are of the same magnitude than requestCount which is also a
vanilla int. As requested, I am switching to the Atomic version as I see in the
LockOutRealm some use of Atomics, this makes more sense here. I'm posting a new
patch for it, for version 9.0.36 as the descriptors file is a bit different
than 1 year ago.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]