Re: [Pki-devel] [PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch

On 5/12/2015 1:01 PM, Christina Fu wrote: > Attached please find the update. > Two things to note: > 1. for comment #2, as discussed over irc, I put the auth manager id in > the authToken instead. Turns out the session contaxt has the whole > authToken in it, so there is no need to put it in separately in the > session context. > 2. for comment #3, the difference between the password based and cert > based auth is that by the time it gets here, cert based auth already > passed the ssl auth, so we know exactly who the subject is, and what > remains is just a matter of mapping it to the right user in the > internaldb. Unlike cert based auth, the password based auth could be > anyone attempted to be the uid provided in the auth, so the "attempted" > is more useful in capturing the attempt. > I changed it so that for cert based auth now has "attemptedUID" to be > the same as that of the subjectid, and I added comment to explain that. > The two auth methods are going to be different, and for a good reason. > > I addressed the rest of the comments as requested. > > thanks, > Christina There is one more mSignedAuditLogger in PKIRealm. Other than that it's ACKed.