1. Overview
When using Spring Security, we may need to log to a higher level than the default one. We may need to check, for example, users’ roles or how endpoints are secured. Or maybe we also need more info about authentication or authorization, for example, to see why a user fails to access an endpoint.
In this short tutorial, we’ll see how to modify the Spring Security logging level.
Like any Spring or Java application, we can use a logger library and define a logging level for the Spring Security modules.
Typically, we can write in our configuration file something like:
<logger name="org.springframework.security" level="DEBUG" />
However, if we’re running a Spring Boot application, we can configure this in our application.properties file:
logging.level.org.springframework.security=DEBUG
Likewise, we can use the yaml syntax:
logging:
level:
org:
springframework:
security: DEBUG
This way, we can check out logs about the Authentication or the Filter Chain. Moreover, we can even use the trace level for deeper debugging.
Additionally, Spring Security offers the possibility to log specific info about requests and applied filters:
@EnableWebSecurity
public class SecurityConfig {
@Value("${spring.websecurity.debug:false}")
boolean webSecurityDebug;
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.debug(webSecurityDebug);
}
// ...
}
3. Log Samples
Finally, to test our application, let’s define a simple controller:
@Controller
public class LoggingController {
@GetMapping("/logging")
public ResponseEntity<String> logging() {
return new ResponseEntity<>("logging/baeldung", HttpStatus.OK);
}
}
If we hit the /logging endpoint, we can check our logs:
2022-02-10 21:30:32.104 DEBUG 5489 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorized filter invocation [GET /logging] with attributes [permitAll]
2022-02-10 21:30:32.105 DEBUG 5489 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Secured GET /logging
2022-02-10 21:30:32.141 DEBUG 5489 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
2022-02-10 21:30:32.146 DEBUG 5489 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
Request received for GET '/logging':
org.apache.catalina.connector.RequestFacade@78fe74c6
servletPath:/logging
pathInfo:null
headers:
host: localhost:8080
connection: keep-alive
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en,it;q=0.9,en-US;q=0.8
cookie: PGADMIN_LANGUAGE=en; NX-ANTI-CSRF-TOKEN=0.7130543323088452; _ga=GA1.1.1440105797.1623675414; NXSESSIONID=bec8cae2-30e2-4ad4-9333-cba1af5dc95c; JSESSIONID=1C7CD365F521609AD887B3D6C2BE26CC
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
4. Conclusion
In this article, we looked at a few options to enable a different logging level for Spring Security.
We’ve seen how to use a debug level for the Spring Security modules. Also, we’ve seen how to log specific info about single requests.
As always, the code for these examples is available over on GitHub.
