Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Urgently needed new feature: Log IP addresses when someone logs in

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There should be another table which logs login activity. When someone logs in, it should capture:

1. User IP address
2. Browser user-agent
3. Was the login successful or not?

This is basic basic stuff that should be there. Without this information there is little or no control over who is doing what on the system. You can see IP addresses in the server logs but those don't tell you anything about who is on the system or doing what.

If I could get into the code and figure out where to put a hook like this, I would add this feature myself.

[originally posted on jforum.net by CaliforniaCCW]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The best place to do this would be in the net.jforum.view.forum.UserActions class. In particular the the validateLogin() and logout() methods.

But these may not get called if you are using an SSO method or authenticating via cookie.

A quick way to do this would be to just use the logger object that's already there. E.g.:

logger.info("Security: user: X IP:y ....);

Another way I've done this in the past is to have a simple SecurityLog class with static logging methods. The advantage to this is that the log4j / commons.logging mechanisms let you direct specific class logging to different files. So by using a SecurityLog class, you can generate a separate security log. (Or not and just grep the log for the class to get the same info...).
[originally posted on jforum.net by monroe]
reply
    Bookmark Topic Watch Topic
  • New Topic