2

I need to implement audit logging for a web application I build. I am using Spring Boot, MySQL and JPA (Hibernate) in development. I know there are solutions like Hibernate Envers for auditing at the Entity level. The problem is that the user (an admin user of the web app built) who will inspect these logs have no notion of Entities, he speaks in terms of user actions. What my customer asking is to be able to detect each action each user performs. For instance, he wants to list all actions performed in the last 2 days. He expects to see a table such as:

USER   REQUESTED_ACTION   REQUEST_TIME      DETAILS  
-----  ----------------   ------------      ---------
John   Log in             2020-10-10 10:10  -----
John   Create Assessment  2020-10-10 10:12  AssessmentDay:..., Result:Success

DETAILS column will contain information related to the action, such as inputs and outputs of the action. This column will differ for each action, it may contain a text in JSON, XML or any other format, does not matter. I see couple of problems arising here. The first one is that it requires a lot of work on the developer side, me. I can apply Spring AOP in the @Controller or @Service classes to build the DETAILS and other columns and save the information, but still not sure if that is a good solution. I am also thinking of using Envers and translating the Envers audit tables to above table which the user would like to see. I am not sure if that is possible though. Another option would be to just use Envers as is and educate the user about Entities. I would appreciate some guidance.

sanemain
  • 139
  • 1
  • 13
  • I have implemented envers in two projects. Envers basically gives you a audit table for every entity and if you use modifyflag=true, it will also show you which field got changed in which build. But, if you want to translate it to a human understandable form (like Jira does), you have to write your own logic for each and every change. Example - if field "Status" is changed, show "Status" is changed. But if a new note is added, you have to say "New not is added" (there is no change for new note". So, better soln would be to use envers and educate them on how to use it – Sridhar Patnaik Jul 28 '20 at 12:40
  • @SridharPatnaik Thanks for your valuable input. Did you provide a user interface for your users to view audit tables or are they using an SQL client like MySQL workbench? – sanemain Jul 28 '20 at 13:35
  • @SridharPatnaik Does Jira provide extensive detail information for each action? I think what they provide is things like IP address as details. See [this page](https://marketplace.atlassian.com/apps/1214138/auditor-for-confluence?hosting=server&tab=overview) for instance. I believe, in addition to Envers, I can also provide short summaries like Jira to please the admins. – sanemain Jul 28 '20 at 13:47
  • I provided a basic interface that they are using just to see history of important entities like customer details, activity details etc. – Sridhar Patnaik Jul 28 '20 at 13:56
  • for your 2nd comment, Yes. You can provide short summaries like Jira to please admins. But that has to be manually written. I don't think envers has any such capability. Flow would be -> fetch data from envers using vertical or horizontal querying -> Identify changed fields -> fetch old value from previous version -> write code to translate to short comments – Sridhar Patnaik Jul 28 '20 at 14:00

1 Answers1

0

As you already more or less realised, Envers is NOT the right tool for the job. It deals with database changes while you deal with user actions, which might not even result in a database change, for example the "LOG IN" action you use as an example like does not trigger any database change.

Options I see are either AOP on controlers or services or alternatively a HandlerInterceptor

Jens Schauder
  • 77,657
  • 34
  • 181
  • 348