如何为Spring Security启用日志记录?

时间:2015-06-15 21:28:19

标签: debugging spring-security

我正在设置Spring Security来处理日志记录用户。我已经以用户身份登录,并在成功登录后被带到Access Denied错误页面。我不知道我的用户实际分配了什么角色,或者导致访问被拒绝的规则,因为我无法弄清楚如何为Spring Security库启用调试。

我的安全xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans ... >
    <!-- security -->

    <security:debug/><!-- doesn't seem to be working -->

    <security:http auto-config="true">

        <security:intercept-url pattern="/Admin**" access="hasRole('PROGRAMMER') or hasRole('ADMIN')"/>
        <security:form-login login-page="/Load.do"
            default-target-url="/Admin.do?m=loadAdminMain"
            authentication-failure-url="/Load.do?error=true"
            username-parameter="j_username"
            password-parameter="j_password"
            login-processing-url="/j_spring_security_check"/>
        <security:csrf/><!-- enable Cross Site Request Forgery protection -->
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="loginDataSource"
                users-by-username-query="SELECT username, password, active FROM userinformation WHERE username = ?"
                authorities-by-username-query="
                    SELECT ui.username, r.rolename 
                    FROM role r, userrole ur, userinformation ui 
                    WHERE ui.username=? 
                    AND ui.userinformationid = ur.userinformationid 
                    AND ur.roleid = r.roleid "
            />
            <security:password-encoder hash="md5"/>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

我还尝试将log4j.logger.org.springframework.security=DEBUG添加到我的log4j.properties

如何获得Spring Security的调试输出?

7 个答案:

答案 0 :(得分:78)

另一种选择是将以下内容放入application.properties

logging.level.org.springframework.security=DEBUG

对于大多数其他Spring模块也是如此。

答案 1 :(得分:43)

您可以使用@EnableWebSecurity注释的选项轻松启用调试支持:

@EnableWebSecurity(debug = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    …
}

答案 2 :(得分:21)

使用Spring的DebugFilter进行基本调试可以这样配置:

@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.debug(true);
    }
}

答案 3 :(得分:4)

您可以使用@EnableWebSecurity批注的选项轻松启用调试支持:

@EnableWebSecurity(debug = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    …
}

如果需要特定于配置文件的控制,请在 application- {profile} .properties 文件

org.springframework.security.config.annotation.web.builders.WebSecurity.debugEnabled=false

获取详细信息:http://www.bytefold.com/enable-disable-profile-specific-spring-security-debug-flag/

答案 4 :(得分:1)

我们可以随时通过以下配置检查 Spring Security 中注册的过滤器

  1. @EnableWebSecurity(debug=true) - 我们需要启用安全细节的调试
  2. 通过在 application.properties 中添加以下属性来启用详细信息日志记录 logging.level.org.springframework.security.web.FilterChainProxy=DEBUG

下面提到在身份验证流程中执行的 Spring Security 的一些内部过滤器:

Security filter chain: [
  CharacterEncodingFilter
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  X509AuthenticationFilter
  UsernamePasswordAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  RememberMeAuthenticationFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

答案 5 :(得分:0)

从5.4.0-M2版本开始(如@bzhu在评论How do I enable logging for Spring Security?中提到的那样),现在可以使用webflux反​​应式应用程序的春季安全日志记录

直到将其发布到GA版本中,这就是如何在Gradle中获得此里程碑版本的方法

repositories {
    mavenCentral()
    if (!version.endsWith('RELEASE')) {
        maven { url "https://repo.spring.io/milestone" }
    }
}

// Force earlier milestone release to get securing logging preview
// https://docs.spring.io/spring-security/site/docs/current/reference/html5/#getting-gradle-boot
// https://github.com/spring-projects/spring-security/pull/8504
// https://github.com/spring-projects/spring-security/releases/tag/5.4.0-M2
ext['spring-security.version']='5.4.0-M2'
dependencyManagement {
    imports {
        mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
    }

}

答案 6 :(得分:-7)

默认情况下,Spring Security会在登录后将用户重定向到他最初请求的URL(在您的情况下为/Load.do)。

您可以将always-use-default-target设置为true以禁用此行为:

 <security:http auto-config="true">

    <security:intercept-url pattern="/Admin**" access="hasRole('PROGRAMMER') or hasRole('ADMIN')"/>
    <security:form-login login-page="/Load.do"
        default-target-url="/Admin.do?m=loadAdminMain"
        authentication-failure-url="/Load.do?error=true"
        always-use-default-target = "true"
        username-parameter="j_username"
        password-parameter="j_password"
        login-processing-url="/j_spring_security_check"/>
    <security:csrf/><!-- enable Cross Site Request Forgery protection -->
</security:http>
相关问题
最新问题