<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Here are my review comments per discussion:<br>
<br>
* The exception message with less detail looks fine<br>
* First thing I noticed is that the "signed audit" messages don't
conform to the format. Looking closely, I see that you have picked
up an outdated interface. The real signed auditor is supposed to be
called by doing:<br>
IAuditor auditor = CMS.getAuditor();<br>
The authz fail event is supposed to be
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4<br>
and the call is done as:<br>
auditMessage = CMS.getLogMessage(<br>
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,<br>
auditSubjectID,<br>
ILogger.FAILURE,<br>
auditACLResource,<br>
auditOperation);<br>
audit(auditMessage); where audit is resolved to
auditor.log(auditMessage);<br>
See AdminServlet.java for example.<br>
<br>
Anyway, all the CS servlets do auditing that way, and so the REST
interface should do it the same way. So, instead of adding audit
messages in the authorization modules, I suggest you<br>
1. put the message in debug log instead<br>
2. If it does not exist, file a ticket for REST interface to do
signed auditing<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 07/25/2014 07:02 PM, Matthew Harmsen
wrote:<br>
</div>
<blockquote cite="mid:53D30C28.6090608@redhat.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Please review the following attached patch (using the attached
test procedure) which addresses:<br>
<ul>
<li><a moz-do-not-send="true"
href="https://fedorahosted.org/pki/ticket/965">PKI TRAC
Ticket #965 - Improve error message - remove ACL mapping to
the user</a></li>
</ul>
<p><br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</body>
</html>