Learn to enable DEBUG and TRACE level logging for spring security configuration, request processing and filter chain proxy using simple switches. Use TRACE for more extensive logging to look into a much deeper level.
1. Setting Log Levels
Spring security logs the statement under the logger name org.springframework.security. We can the log level for this logger to enable any level of logging.
For a Spring boot application, we can directly configure the log level in the properties file:
logging.level.org.springframework.security=DEBUG # Or TRACEThe YAML syntax is :
logging:
level:
org:
springframework:
security: DEBUGFor a non-Spring boot application, we can edit the logging configuration file (such as logback.xml or log4j2.xml) and set the logging level. For example, in logback.xml the following one-line configuration is enough to enable the debug logging in spring security module.
<logger name="org.springframework.security" level="DEBUG" />2. Using @EnableWebSecurity(debug = true)
The debug parameter controls debugging support for Spring Security. By default, debug is false.
This debug switch helps in logging the complete Authentication request in the logs.
@EnableWebSecurity(debug = true)
public class SecurityConfiguration
extends WebSecurityConfigurerAdapter {
}Applying the debug switch may be enabled temporarily during the development time but debug logging should never be used in the production environment. If we want to enable the switch for specific deployment profiles then we can set the following property to true in that environment.
org.springframework.security.config.annotation.web.builders.WebSecurity.debugEnabled=true3. Using Property spring.websecurity.debug
Another good option to control debugging of Spring security is using WebSecurity.debug() method. We can inject a property value of true/false to this method in runtime to control the debug logging.
In the following example, we are injecting the value of property spring.websecurity.debug in runtime. The default value is false.
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("${spring.websecurity.debug:false}")
boolean webSecurityDebug;
@Override
public void configure(WebSecurity web) throws Exception {
web.debug(webSecurityDebug);
}
}4. Demo
Let’s look at the logs when we enable the debug logging at spring security level using a simple test case.
@Test
void expectOKResponse_WhenPasswordIsCorrect() throws Exception {
mvc.perform(MockMvcRequestBuilders.get("/")
.with(httpBasic("user", "password")))
.andExpect(content().string("Hello World !!"));
}It will generate the following logs. A real application generates many other useful log statements, this example is just for giving you a high level of understanding.
00:46:49.345 [main] WARN o.s.s.c.a.web.builders.WebSecurity -
********************************************************************
********** Security debugging is enabled. *************
********** This may include sensitive information. *************
********** Do not use in a production system! *************
********************************************************************
Request received for GET '/':
org.springframework.mock.web.MockHttpServletRequest@351f2244
servletPath:
pathInfo:/
headers:
Authorization: Basic dXNlcjpwYXNzd29yZA==
Security filter chain: [
DisableEncodeUrlFilter
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]5. Conclusion
In this tutorial, we learned to enable the debug and trace level logging in spring security authentication and authorization. The recommended approach is to use profile-specific properties and use specified switches to ON/OFF the debug logs.
Happy Learning !!