I am setting up Spring Security to handle logging users in. I have logged in as a user, and am taken to an Access Denied error page upon successful login. I don't know what roles my user has actually been assigned, or the rule that causes access to be denied, because I can't figure out how to enable debugging for the Spring Security library.
My security xml:
<?xml version="1.0" encoding="UTF-8"?> <beans ... > <!-- security --> <security:debug/><!-- doesn't seem to be working --> <security:http auto-config="true"> <security:intercept-url pattern="/Admin**" access="hasRole('PROGRAMMER') or hasRole('ADMIN')"/> <security:form-login login-page="/Load.do" default-target-url="/Admin.do?m=loadAdminMain" authentication-failure-url="/Load.do?error=true" username-parameter="j_username" password-parameter="j_password" login-processing-url="/j_spring_security_check"/> <security:csrf/><!-- enable Cross Site Request Forgery protection --> </security:http> <security:authentication-manager> <security:authentication-provider> <security:jdbc-user-service data-source-ref="loginDataSource" users-by-username-query="SELECT username, password, active FROM userinformation WHERE username = ?" authorities-by-username-query=" SELECT ui.username, r.rolename FROM role r, userrole ur, userinformation ui WHERE ui.username=? AND ui.userinformationid = ur.userinformationid AND ur.roleid = r.roleid " /> <security:password-encoder hash="md5"/> </security:authentication-provider> </security:authentication-manager> </beans>
I've also tried adding log4j.logger.org.springframework.security=DEBUG
to my log4j.properties
How can I get debug output for Spring Security?
In the case of logging, the only mandatory dependency is Apache Commons Logging. We need to import it only when using Spring 4. x (Spring Boot 1. x) since it's provided by Spring Framework's spring-jcl module in Spring 5 (Spring Boot 2.
Method-level security is implemented by placing the @PreAuthorize annotation on controller methods (actually one of a set of annotations available, but the most commonly used). This annotation contains a Spring Expression Language (SpEL) snippet that is assessed to determine if the request should be authenticated.
Spring Boot uses Commons Logging for all internal logging but leaves the underlying log implementation open. Default configurations are provided for Java Util Logging, Log4J2, and Logback. In each case, loggers are pre-configured to use console output with optional file output also available.
Assuming you're using Spring Boot, another option is to put the following in your application.properties
:
logging.level.org.springframework.security=DEBUG
This is the same for most other Spring modules as well.
If you're not using Spring Boot, try setting the property in your logging configuration, e.g. logback.
Here is the application.yml version as well:
logging: level: org: springframework: security: DEBUG
You can easily enable debugging support using an option for the @EnableWebSecurity
annotation:
@EnableWebSecurity(debug = true) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { … }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With