Open timja opened 10 years ago
timja
commented
10 years ago This only works when using container authentication. If you have set up a different authentication method, the log will not show user names.
This issue should be classified as feature.
timja
commented
10 years ago As an alternative, you could try the Audit Trail Plugin
https://wiki.jenkins-ci.org/display/JENKINS/Audit+Trail+Plugin
timja
commented
10 years ago Not a bug.
BTW, an additional input from the submitter would be useful
timja
commented
10 years ago dhs:
What kind of additional info do you need?
I don't think it's not a bug, btw. Jenkins still uses the Winstone options for logging. Winstone docs say there's a username in the output. Jenkins doesn't log the username -> bug.
timja
commented
8 years ago Really. You say access log and there is no user id mentioned. Isn't it obvious for one to see userid in access logs? Yes it's a bug.
timja
commented
8 years ago I managed to hack together a way to get the username, if it will help anyone else. I created a servlet filter that sets a response header with the username; it can catch basic authentication failures if it runs before the authentication filters (very handy for failing REST API calls). I then created a customized logger for Winstone/Jetty to grab that header and add it to the log output. The header never makes it to the browser, but fortunately I don't need it to. Obviously this requires hacking the web.xml file and the bundled winstone.jar file, but it works.
I agree this is a bug – finding the username should not be this difficult.
Here's the doFilter() method from my new filter:
/**
* Finds the username for this request, if any.
*
* NOTE: In the case of failed basic authentication requests, the _attempted_
* username is returned. Be sure to check the status code to determine
* success/failure before logging!
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
String username = null;
chain.doFilter(request, response);
NonSerializableSecurityContext securityContext = (NonSerializableSecurityContext)((HttpServletRequest)request).getSession().getAttribute("ACEGI_SECURITY_CONTEXT");
if (securityContext != null) {
Authentication authentication = securityContext.getAuthentication();
if (authentication != null) {
Object principal = authentication.getPrincipal();
if (principal instanceof String) {
// Anonymous/unauthenticated
username = (String)principal;
if (username.equals("anonymous"))
username = null;
}
else if (principal instanceof HudsonPrivateSecurityRealm.Details) {
// Jenkins internal database
username = ((HudsonPrivateSecurityRealm.Details)principal).getUsername();
}
else if (principal instanceof LdapUserDetailsImpl) {
// LDAP
username = ((LdapUserDetailsImpl)principal).getUsername();
}
else {
// Unknown! Uncomment this to find out what class is being returned.
//username = "unknown(" + principal.getClass().getName() + ")";
}
}
}
else {
String authorization = ((HttpServletRequest)request).getHeader("Authorization");
if ((authorization != null) &&
authorization.startsWith("Basic ")) {
String credentials = new String(Base64.getDecoder().decode(authorization.substring(6)));
int colon = credentials.indexOf(':');
if (colon >= 0) {
username = credentials.substring(0, colon);
}
}
}
if (username != null)
((HttpServletResponse)response).addHeader("X-Username", username);
}
timja
commented
2 years ago dhs:
nagavijayan, could you please explain the priority change? How does a missing piece in log output block you?
Anyway, I think this ticket can be closed. It's 8 years old now and not important anymore, since we've meanwhile upgraded to 2.x, which we run on Linux behind an Apache reverse proxy...
After enabling access logging in a standalone install of 1.562 using
and restarting Jenkins, the access log is created, but only has a single "-" where I'd expect a user name, for example:
Originally reported by dhs, imported from: Access log doesn't contain user names