Here are my review comments per discussion: * The exception message with less detail looks fine * First thing I noticed is that the "signed audit" messages don't conform to the format. Looking closely, I see that you have picked up an outdated interface. The real signed auditor is supposed to be called by doing: IAuditor auditor = CMS.getAuditor(); The authz fail event is supposed to be LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4 and the call is done as: auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, auditSubjectID, ILogger.FAILURE, auditACLResource, auditOperation); audit(auditMessage); where audit is resolved to auditor.log(auditMessage); See AdminServlet.java for example. Anyway, all the CS servlets do auditing that way, and so the REST interface should do it the same way. So, instead of adding audit messages in the authorization modules, I suggest you 1. put the message in debug log instead 2. If it does not exist, file a ticket for REST interface to do signed auditing Christina On 07/25/2014 07:02 PM, Matthew Harmsen wrote: