SEC-1919: AuthenticationServiceException logged on DEBUG level #2133

Closed
spring-issuemaster opened this Issue Feb 20, 2012 · 3 comments

2 participants

@spring-issuemaster

Krzysztof Koziol (Migrated from SEC-1919) said:

When LDAP server is not available AuthenticationServiceException should be logged on the ERROR level not on DEBUG.

@spring-issuemaster

Rob Winch said:

First, I agree that we need to handle this particular instance of AuthenticationServiceException differently. However, we should not log all AuthenticationServiceExceptions at an error level as this can allow a type of Denial of Service (DoS) attack. For example, if an OpenID Provider (OP) fails to authenticate a user an AuthenticationServiceException is thrown. This means that users that have setup their own OP or are knowledgeable enough to construct URLs that look like an OP can hit the server hard and fill up the error logs. The IO of the logging can slow the service down significantly, not to mention it can fill up the disk. In short, for scenarios where an external entity fails we still should log at debug level to prevent this sort of behavior.

For this specific JIRA, the communication is with the LDAP server. The LDAP Server should be a trusted entity (i.e. it won't fail just to fill up our logs) and so we should handle this situation with quite a bit more noise. The solution we are using is that we will create a new Exception that extends the AuthenticationServiceException named InternalAuthenticationServiceException. The new Exception will be thrown by the LDAP tier and logged as an error by the web tier.

@spring-issuemaster

Krzysztof Koziol said:

I agree, introducing the new InternalAuthenticationServiceException that will be logged as an error would work for me.

@spring-issuemaster

Rob Winch said:

Thanks for your feedback :)

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment