Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java =================================================================== diff -u -r7f420dcfde4984d32bb8acedde964ca613c1cb6c -r12265b9159c1ce543260d9c0421414b88fb7f814 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java (.../SsoHandler.java) (revision 7f420dcfde4984d32bb8acedde964ca613c1cb6c) +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java (.../SsoHandler.java) (revision 12265b9159c1ce543260d9c0421414b88fb7f814) @@ -23,6 +23,7 @@ import java.io.IOException; import java.security.AccessController; import java.util.Date; +import java.util.StringTokenizer; import javax.servlet.ServletContext; import javax.servlet.ServletException; @@ -113,7 +114,7 @@ SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true"); return; } - user = getUserManagementService(session.getServletContext()).getUserByLogin(login); + user = SsoHandler.getUserManagementService(session.getServletContext()).getUserByLogin(login); if (user == null) { SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true"); return; @@ -186,14 +187,10 @@ && !password.startsWith("#LAMS")) { user.setFailedAttempts(null); user.setLockOutTime(null); - getUserManagementService(session.getServletContext()).save(user); + SsoHandler.getUserManagementService(session.getServletContext()).save(user); } - String message = new StringBuilder("User ").append(user.getLogin()).append(" (") - .append(user.getUserId()).append(") logged in").toString(); - getLogEventService(session.getServletContext()).logEvent(LogEvent.TYPE_LOGIN, user.getUserId(), - user.getUserId(), null, null, message); - + SsoHandler.logLogin(userDTO, request); } else { Integer failedAttempts = user.getFailedAttempts(); if (failedAttempts == null) { @@ -214,10 +211,10 @@ .append(user.getUserId()).append(") is locked out for ") .append(Configuration.getAsInt(ConfigurationKeys.LOCK_OUT_TIME)).append(" mins after ") .append(failedAttempts).append(" failed attempts.").toString(); - getLogEventService(session.getServletContext()).logEvent(LogEvent.TYPE_ACCOUNT_LOCKED, - user.getUserId(), user.getUserId(), null, null, message); + SsoHandler.getLogEventService(session.getServletContext()).logEvent( + LogEvent.TYPE_ACCOUNT_LOCKED, user.getUserId(), user.getUserId(), null, null, message); } - getUserManagementService(session.getServletContext()).save(user); + SsoHandler.getUserManagementService(session.getServletContext()).save(user); } SessionManager.endSession(); @@ -293,15 +290,33 @@ } } - private IUserManagementService getUserManagementService(ServletContext context) { + private static void logLogin(UserDTO user, HttpServletRequest request) { + String clientIP = null; + String xForwardedForHeader = request.getHeader("X-Forwarded-For"); + if (xForwardedForHeader == null) { + clientIP = request.getRemoteAddr(); + } else { + // As of https://en.wikipedia.org/wiki/X-Forwarded-For + // The general format of the field is: X-Forwarded-For: client, proxy1, proxy2 ... + // we only want the client + clientIP = new StringTokenizer(xForwardedForHeader, ",").nextToken().trim(); + } + + String message = new StringBuilder("User ").append(user.getLogin()).append(" (").append(user.getUserID()) + .append(") logged in from IP ").append(clientIP).toString(); + SsoHandler.getLogEventService(SessionManager.getServletContext()).logEvent(LogEvent.TYPE_LOGIN, + user.getUserID(), user.getUserID(), null, null, message); + } + + private static IUserManagementService getUserManagementService(ServletContext context) { if (SsoHandler.userManagementService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(context); SsoHandler.userManagementService = (UserManagementService) ctx.getBean("userManagementService"); } return SsoHandler.userManagementService; } - protected ILogEventService getLogEventService(ServletContext context) { + private static ILogEventService getLogEventService(ServletContext context) { if (SsoHandler.logEventService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(context); SsoHandler.logEventService = (ILogEventService) ctx.getBean("logEventService");