my dog learned polymorphism*
The moose likes Websphere and the fly likes auditing security changes Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » Websphere
Bookmark "auditing security changes" Watch "auditing security changes" New topic
Author

auditing security changes

louise rochford
Ranch Hand

Joined: Apr 04, 2002
Posts: 119
Hi all,
I need some help with keeping track of changes to the security configuration in our apps....
We're using Websphere 5.1 with Active Directory.
If we add users to groups in AD this is done using the standard company procedures, but we may also need to change the mapping of groups to roles (rare I know, but our business users want this flexibility).
I know how to do the actual mapping change, but what I don't know is how this change gets logged in WebSphere.
I find it hard to believe that a product as big as WebSphere doesn't keep a log of such a change, but where is it?
Very grateful for any ideas.
Cheers,
Louise
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Actually, Louise, we don't log this. In general we don't log any administrative changes because that's just the way the application server operates -- it's normal behavior and not an exceptional condition.

Configuration changes to anything in the console or WSAdmin (including the group/role mapping) are made by changing the master copy of the appropriate XML files in the configuration respository and then transferring those files out to the individual nodes. After the nodes have been updated there is no record of the change.

You might be able to create a log of the type you want by turning on application tracing for that subsystem on the Deployment Manager, though. You'd just have to filter out the entries from the DMgr trace log that you wanted. Sounds kind of expensive, though...

Kyle


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
louise rochford
Ranch Hand

Joined: Apr 04, 2002
Posts: 119
Thanks for the quick response Kyle.
I get the impression that logging this type of change isn't standard procedure - you only give administrator access to people you trust to do things properly.
I'll see if I can get our users / security folks to agree that this concept, plus Change request documentation detailing the required mapping changes will be suffiecient control.
Failing that I'll be filtering trace logs...

Many thanks again,
Louise
 
 
subject: auditing security changes
 
Similar Threads
Custom Authentication/Authorization
Web app Security Confusion
is there any thing Similary to Temp folder?
Application Deployment Descriptor & Security
Migrating JAAS from JBoss to Websphere 6.1