I want to log the userId in the HTTP access log. What I have in mind is:
- In the onRequestStart() authenticate the user and push the userId:
getPageContext().getHttpServletRequest().getSession().setAttribute("username", session.userId) - update the access log pattern to something like
%h %l "%{username}s" %{yyyy-MM-dd HH:mm:ss.sss}t "%r" %s %b %I %D %F "%{X-Amzn-Trace-Id}i"
This is the pattern I use in Java applications, but I am not entirely sure about the request life cycle in Lucee so I don’t know if there is anything I should keep in mind. Would it be better to store the attribute on the HttpServletRequest itself instead of on the HttpSession?
We have no functionality that actually uses the username from the Java session, so even if the wrong name is present I do not think it would be a security risk.