Spring Security
  1. Spring Security
  2. SEC-1919

AuthenticationServiceException logged on DEBUG level

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.2
    • Component/s: Core, LDAP
    • Labels:
      None

      Description

      When LDAP server is not available AuthenticationServiceException should be logged on the ERROR level not on DEBUG.

        Activity

        Hide
        Rob Winch added a comment -

        First, I agree that we need to handle this particular instance of AuthenticationServiceException differently. However, we should not log all AuthenticationServiceExceptions at an error level as this can allow a type of Denial of Service (DoS) attack. For example, if an OpenID Provider (OP) fails to authenticate a user an AuthenticationServiceException is thrown. This means that users that have setup their own OP or are knowledgeable enough to construct URLs that look like an OP can hit the server hard and fill up the error logs. The IO of the logging can slow the service down significantly, not to mention it can fill up the disk. In short, for scenarios where an external entity fails we still should log at debug level to prevent this sort of behavior.

        For this specific JIRA, the communication is with the LDAP server. The LDAP Server should be a trusted entity (i.e. it won't fail just to fill up our logs) and so we should handle this situation with quite a bit more noise. The solution we are using is that we will create a new Exception that extends the AuthenticationServiceException named InternalAuthenticationServiceException. The new Exception will be thrown by the LDAP tier and logged as an error by the web tier.

        Show
        Rob Winch added a comment - First, I agree that we need to handle this particular instance of AuthenticationServiceException differently. However, we should not log all AuthenticationServiceExceptions at an error level as this can allow a type of Denial of Service (DoS) attack. For example, if an OpenID Provider (OP) fails to authenticate a user an AuthenticationServiceException is thrown. This means that users that have setup their own OP or are knowledgeable enough to construct URLs that look like an OP can hit the server hard and fill up the error logs. The IO of the logging can slow the service down significantly, not to mention it can fill up the disk. In short, for scenarios where an external entity fails we still should log at debug level to prevent this sort of behavior. For this specific JIRA, the communication is with the LDAP server. The LDAP Server should be a trusted entity (i.e. it won't fail just to fill up our logs) and so we should handle this situation with quite a bit more noise. The solution we are using is that we will create a new Exception that extends the AuthenticationServiceException named InternalAuthenticationServiceException. The new Exception will be thrown by the LDAP tier and logged as an error by the web tier.
        Hide
        Krzysztof Koziol added a comment -

        I agree, introducing the new InternalAuthenticationServiceException that will be logged as an error would work for me.

        Show
        Krzysztof Koziol added a comment - I agree, introducing the new InternalAuthenticationServiceException that will be logged as an error would work for me.
        Hide
        Rob Winch added a comment -

        Thanks for your feedback

        Show
        Rob Winch added a comment - Thanks for your feedback

          People

          • Assignee:
            Rob Winch
            Reporter:
            Krzysztof Koziol
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Remaining Estimate - 1h
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified