Here are my review comments per discussion:

* The exception message with less detail looks fine
* First thing I noticed is that the "signed audit" messages don't conform to the format. Looking closely, I see that you have picked up an outdated interface. The real signed auditor is supposed to be called by doing:
          IAuditor auditor = CMS.getAuditor();
The authz fail event is supposed to be LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4
and the call is done as:
                    auditMessage = CMS.getLogMessage(
                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
                        auditSubjectID,
                        ILogger.FAILURE,
                        auditACLResource,
                        auditOperation);
            audit(auditMessage); where audit is resolved to auditor.log(auditMessage);
See AdminServlet.java for example.

Anyway, all the CS servlets do auditing that way, and so the REST interface should do it the same way. So, instead of adding audit messages in the authorization modules, I suggest you
1. put the message in debug log instead
2. If it does not exist, file a ticket for REST interface to do signed auditing

Christina

On 07/25/2014 07:02 PM, Matthew Harmsen wrote:

Please review the following attached patch (using the attached test procedure) which addresses:

PKI TRAC Ticket #965 - Improve error message - remove ACL mapping to the user
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel