Monday, June 4, 2018

How to debug errors while using Spring Security module?

If you have ever used Spring Security module for authentication or authorization then you already know the pain while debugging the errors that has encountered while customizing the Spring Web Security i.e. by using annotation like @EnableWebSecurity to customize the Spring Security configuration by extending the WebSecurityConfigurerAdapter base class and overriding individual methods.  Today we would be discussing three ways that would help us to debug Spring Security related error nicely as we will be logging more detailed information in debug mode that would in turn help us in resolving the issues.

Disclaimer: I have tried these methods in Spring Boot and it worked like charm.

1. Turn On the Debug Level log for Spring Framework Web & Security module

As per your convenience, set the below properties in application.yml or application.properties file.
logging.level.org.springframework.security=DEBUG
logging.level.org.springframework.web=DEBUG

2. More concerned about Filter Chain

If one is more concerned about Filter Chain related log information then one could also log in more granular level i.e. logging the FilterChainProxy class.
#application.yml
logging:
  level:
     org:
       springframework:
         security:
          web:
            FilterChainProxy: DEBUG
   
or #application.properties
logging.level.org.springframework.web.FilterChainProxy=Debug   

3. Additional Filter logs specific to a particular request 

If one would like to see what different filters are applied to particular request then one could also set the debug flag to true in @EnableWebSecurity annotation.
@EnableWebSecurity(debug = true)
For reference, see the logs
************************************************************

Request received for GET '/oauth/token':

org.apache.catalina.connector.RequestFacade@2a27c195

servletPath:/oauth/token
pathInfo:null
headers: 
host: localhost:8060
connection: keep-alive
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: _ga=GA1.1.46570692.1519211292; JSESSIONID=2BDB6DDBCD404F240AF3DB3331C25BF4


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  BasicAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************
One should always keep one thing in mind that depending on the configuration we state in our security configuration class, the order and number of the filters in the filter chain may differ. Let's understand it by an example: http.anonymous().disable() in the class extending WebSecurityConfigurerAdapter class would exclude  AnonymousAuthenticationFilter from the filter chain.

Happy Learning!! Hoping that now you would play with these debug level log and resolve your Spring Security related errors in lesser time.