How to disable the Audit Manager in JBoss EAP 5.x?

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 5.x

Issue

How can I disable the Audit Manager in JBoss EAP 5.x?
We are porting an application to EAP 5.x from EAP 4.3 and the application is not performing very well on EAP 5.x. It looks like the threads are taking a long time getting through the EJB security interceptors.

Resolution

Modify the JNDIBasedSecurityManagement bean in the server/$PROFILE/conf/bootstrap/security.xml file so that it looks like the following:

    <bean name="JNDIBasedSecurityManagement"
      class="org.jboss.security.integration.JNDIBasedSecurityManagement">
      <property name="enableAudit">false</property>
    </bean>

Setting the enableAudit property to false will disable some additional audit logging that appears to be happening even when audit logging is disabled in the jboss-log4j.xml file (according to the official This content is not included.JBoss documentation).

Root Cause

When debugging a performance issue related to audit logging, the thread dumps made it look like most of the time is being spent in the EJB interceptor code:

"http-127.0.0.1-8080-6" daemon prio=6 tid=0x59578800 nid=0x1c70 runnable [0x652cd000]
     java.lang.Thread.State: RUNNABLE
            ...
            ....
            at org.jboss.security.authorization.resources.EJBResource.toString(EJBResource.java:188)
            at org.jboss.security.javaee.AbstractJavaEEHelper.authorizationAudit(AbstractJavaEEHelper.java:100)
            at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:118)
            at org.jboss.ejb.plugins.SecurityActions$14.run(SecurityActions.java:557)
            at org.jboss.ejb.plugins.SecurityActions$14.run(SecurityActions.java:554)
            at java.security.AccessController.doPrivileged(Native Method)

The AbstractJavaEEHelper.authorizationAudit and all the toString calls seem to indicate audit logging is enabled. However, the thread dumps were taken after we made sure the audit appender was disabled in jboss-log4j.xml according to the JBoss documentation.

After looking at the AbstractJavaEEHelper.authorizationAudit method, it seems like the securityContext.getAuditManager() method should be returning null when audit logging is not enabled. Here's the code:

   protected void authorizationAudit(String level, Resource resource, Exception e)
   {
      if(securityContext.getAuditManager() == null)
         return;
      //Authorization Exception stacktrace is huge. Scale it down
      //as the original stack trace can be seen in server.log (if needed)
      String exceptionMessage = e != null ? e.getLocalizedMessage() : "";  
      Map<String,Object> cmap = new HashMap<String,Object>();
      cmap.putAll(resource.getMap());
      cmap.put("Resource:", resource.toString());
      cmap.put("Exception:", exceptionMessage);
      audit(level,cmap,null);
   }

If that call returns null, then it should bypass all of the Object to String conversions.

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.