How do I enable logging for Spring Security?

Debugging Problem Overview

I am setting up Spring Security to handle logging users in. I have logged in as a user, and am taken to an Access Denied error page upon successful login. I don't know what roles my user has actually been assigned, or the rule that causes access to be denied, because I can't figure out how to enable debugging for the Spring Security library.

My security xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans ... >
    <!-- security -->
	
	<security:debug/><!-- doesn't seem to be working -->
	
	<security:http auto-config="true">
		
		<security:intercept-url pattern="/Admin**" access="hasRole('PROGRAMMER') or hasRole('ADMIN')"/>
		<security:form-login login-page="/Load.do"
			default-target-url="/Admin.do?m=loadAdminMain"
			authentication-failure-url="/Load.do?error=true"
			username-parameter="j_username"
			password-parameter="j_password"
			login-processing-url="/j_spring_security_check"/>
		<security:csrf/><!-- enable Cross Site Request Forgery protection -->
	</security:http>
	
	<security:authentication-manager>
		<security:authentication-provider>
			<security:jdbc-user-service data-source-ref="loginDataSource"
				users-by-username-query="SELECT username, password, active FROM userinformation WHERE username = ?"
				authorities-by-username-query="
					SELECT ui.username, r.rolename 
					FROM role r, userrole ur, userinformation ui 
					WHERE ui.username=? 
					AND ui.userinformationid = ur.userinformationid 
					AND ur.roleid = r.roleid "
			/>
			<security:password-encoder hash="md5"/>
		</security:authentication-provider>
	</security:authentication-manager>
</beans>

I've also tried adding log4j.logger.org.springframework.security=DEBUG to my log4j.properties

How can I get debug output for Spring Security?

Debugging Solutions

Solution 1 - Debugging

Assuming you're using Spring Boot, another option is to put the following in your application.properties:

logging.level.org.springframework.security=DEBUG

This is the same for most other Spring modules as well.

If you're not using Spring Boot, try setting the property in your logging configuration, e.g. logback.

Here is the application.yml version as well:

logging:
  level:
    org:
      springframework:
        security: DEBUG

Solution 2 - Debugging

You can easily enable debugging support using an option for the @EnableWebSecurity annotation:

@EnableWebSecurity(debug = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    …
}

Solution 3 - Debugging

Basic debugging using Spring's DebugFilter can be configured like this:

@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {



@Override
public void configure(WebSecurity web) throws Exception {
	web.debug(true);
}




}
}

Solution 4 - Debugging

You can easily enable debugging support using an option for the @EnableWebSecurity annotation:

@EnableWebSecurity(debug = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    …
}

If you need profile-specific control the in your application-{profile}.properties file

org.springframework.security.config.annotation.web.builders.WebSecurity.debugEnabled=false

Get Detailed Post: http://www.bytefold.com/enable-disable-profile-specific-spring-security-debug-flag/

Solution 5 - Debugging

We can always check the registered filters inside Spring Security with the below configuration

@EnableWebSecurity(debug=true) - We need to enable the debugging of the security details
Enable logging of the details by adding the below property in the application.properties logging.level.org.springframework.security.web.FilterChainProxy=DEBUG

Below mentioning some of the internal filters of Spring Security that gets executed in the authentication flow:

Security filter chain: [
  CharacterEncodingFilter
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  X509AuthenticationFilter
  UsernamePasswordAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  RememberMeAuthenticationFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

Solution 6 - Debugging

Spring security logging for webflux reactive apps is now available starting with version 5.4.0-M2 (as mentionned by @bzhu in comment https://stackoverflow.com/questions/30855252/how-do-i-enable-logging-for-spring-security#comment103321961_47729991)

Until this gets into a GA release, here is how to get this milestone release in gradle

repositories {
    mavenCentral()
    if (!version.endsWith('RELEASE')) {
        maven { url "https://repo.spring.io/milestone" }
    }
}

// Force earlier milestone release to get securing logging preview
// https://docs.spring.io/spring-security/site/docs/current/reference/html5/#getting-gradle-boot
// https://github.com/spring-projects/spring-security/pull/8504
// https://github.com/spring-projects/spring-security/releases/tag/5.4.0-M2
ext['spring-security.version']='5.4.0-M2'
dependencyManagement {
    imports {
        mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
    }

}

Content Type	Original Author	Original Content on Stackoverflow
Question	Martin	View Question on Stackoverflow
Solution 1 - Debugging	delucasvb	View Answer on Stackoverflow
Solution 2 - Debugging	Michael Piefel	View Answer on Stackoverflow
Solution 3 - Debugging	Chris Suszyński	View Answer on Stackoverflow
Solution 4 - Debugging	Ankit Katiyar	View Answer on Stackoverflow
Solution 5 - Debugging	sarath	View Answer on Stackoverflow
Solution 6 - Debugging	Guillaume Berche	View Answer on Stackoverflow