Erik Brakkee added a comment - 24/Mar/11 6:44 PM Comment from Andreas: In everyday use we identified the following logging features as extremely useful: If log level is set to FINE, we would receive exactly one log entry per request to FlexibleJDBCRealm. The log entry would contain whether the query could be satisfied from cache or whether it had to go to the DB (in which case timing info would be shown, e.g. 150ms.) => this would allow to get a good feel of exactly how often authentication is run and it could help to decide as to whether one should authenticate with each call or use a sessionID, etc. The password would NOT be shown for confidentiality reasons.

Erik Brakkee added a comment - 24/Mar/11 6:45 PM More general statistics:     * number of times specific operations where called: getPassword, getSeed, getGroups     * total time involved in database access per query.     * total time involved per query (including caching and database access)     * total number of cache hits per query     * total number of failed password authentications

Erik Brakkee added a comment - 25/Mar/11 10:08 PM Failed password authentications will not be logged by flexible JDBC realm. Instead glassfish audit logging should be used. See for instance the Oracle Glassfish 3.1 security guide ( http://download.oracle.com/docs/cd/E18930_01/html/821-2435/gksca.html )

Erik Brakkee added a comment - 25/Mar/11 10:10 PM The following statistics have been implemented for an authentication repository: 1. total duration 2. number of successful attempts 3. number of failed attempts The above three statistics are available for findPassword(), findSeed(), and findGroups(). findPassword() and findGroups() are considered to fail when the user is unknown. findSeed() is only considered to fial when an exception is thrown (which should never occur in the implementation). Duration is in milliseconds.