generator-jhipster: Custom metrics and logging for invalid JWT tokens
There’s already a TRACE level log row (with error details) for the very same event, and I think this is the proper level for this kind of events. I think INFO is appropriate for general information about the application status (e.g. app bootstraping, during normal operation, recurring tasks progress).
So, I propose to get rid of the INFO log row, and to change the TRACE log row message to "Invalid JWT token." too.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 28 (28 by maintainers)
+1 for this security metrics, @jhipster/developers do you agree?
I didn’t know about the tags, your proposal looks good to me: it looks similar to the
statustag for thehttp.server.requestsmetric from Spring Boot Actuator that you can then query this way.http://localhost:8080/actuator/metrics/http.server.requests?tag=status:200
I like your approach with minor comments:
ExpiredJwtException: I would still add a metricsecurity.authentication.expired-tokensbecause it could be an indication that the token life duration is configured too short.UnsupportedJwtException,MalformedJwtExceptionandSignatureException: you cannot be 100% sure that the attempts are malicious, imagine the case where the JWT secret was changed and suddenly all tokens issued previously have an invalid signature, this is not malicious only security maintenance. Maybe name it as something more neutral likesecurity.authentication.invalid-tokensGood point. But having too logs seems strange. Should we keep trace and set the log level for the TokenProvider to trace such that a log based metric can be used to detect potential hacking attempt?