Enable Debug Logging for Spring Security

Learn to enable DEBUG and TRACE level logging for spring security configuration, request processing and filter chain proxy using simple switches. Use TRACE for more extensive logging to look into a much deeper level.

1. Setting Log Levels

Spring security logs the statement under the logger name org.springframework.security. We can the log level for this logger to enable any level of logging.

For a Spring boot application, we can directly configure the log level in the properties file:

logging.level.org.springframework.security=DEBUG  # Or TRACE

The YAML syntax is :

logging:
  level:
    org:
      springframework:
        security: DEBUG

For a non-Spring boot application, we can edit the logging configuration file (such as logback.xml or log4j2.xml) and set the logging level. For example, in logback.xml the following one-line configuration is enough to enable the debug logging in spring security module.

<logger name="org.springframework.security" level="DEBUG" />

2. Using @EnableWebSecurity(debug = true)

The debug parameter controls debugging support for Spring Security. By default, debug is false.

This debug switch helps in logging the complete Authentication request in the logs.

@EnableWebSecurity(debug = true)
public class SecurityConfiguration 
	extends WebSecurityConfigurerAdapter {
	
}

Applying the debug switch may be enabled temporarily during the development time but debug logging should never be used in the production environment. If we want to enable the switch for specific deployment profiles then we can set the following property to true in that environment.

org.springframework.security.config.annotation.web.builders.WebSecurity.debugEnabled=true

3. Using Property spring.websecurity.debug

Another good option to control debugging of Spring security is using WebSecurity.debug() method. We can inject a property value of true/false to this method in runtime to control the debug logging.

In the following example, we are injecting the value of property spring.websecurity.debug in runtime. The default value is false.

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("${spring.websecurity.debug:false}")
    boolean webSecurityDebug;

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.debug(webSecurityDebug);
    }
}

4. Demo

Let’s look at the logs when we enable the debug logging at spring security level using a simple test case.

@Test
void expectOKResponse_WhenPasswordIsCorrect() throws Exception {
    mvc.perform(MockMvcRequestBuilders.get("/")
                    .with(httpBasic("user", "password")))
            .andExpect(content().string("Hello World !!"));
}

It will generate the following logs. A real application generates many other useful log statements, this example is just for giving you a high level of understanding.

00:46:49.345 [main] WARN  o.s.s.c.a.web.builders.WebSecurity - 

********************************************************************
**********        Security debugging is enabled.       *************
**********    This may include sensitive information.  *************
**********      Do not use in a production system!     *************
********************************************************************

Request received for GET '/':

org.springframework.mock.web.MockHttpServletRequest@351f2244

servletPath:
pathInfo:/
headers: 
Authorization: Basic dXNlcjpwYXNzd29yZA==


Security filter chain: [
  DisableEncodeUrlFilter
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  BasicAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

5. Conclusion

In this tutorial, we learned to enable the debug and trace level logging in spring security authentication and authorization. The recommended approach is to use profile-specific properties and use specified switches to ON/OFF the debug logs.

Happy Learning !!