User (%u) is missing from Tomcat Access Logs when using Spring Security [duplicate]

Asked 6/11, 2019 at 7:52 Answered 28/8 at 7:45

java authentication tomcat spring-security access-log

I run a sample Spring Security (hello world) web application in Apache Tomcat 8. What I'm trying to see is the user information in Tomcat Access Logs, but it looks that this information is not there. Example for access log entries:

0:0:0:0:0:0:0:1 - - [06/Nov/2019:09:41:57 +0200] "GET / HTTP/1.1" 200 422
0:0:0:0:0:0:0:1 - - [06/Nov/2019:09:41:59 +0200] "GET /hello HTTP/1.1" 200 83

The access log configuration in the Tomcat server.xml is:

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="common" />

pattern="common" corresponds to the Common Log Format defined by '%h %l %u %t "%r" %s %b' as it is described here. Tomcat documentation also states:

%u - Remote user that was authenticated (if any), else '-'

Is there any additional configuration that I should apply to make the user visible in the access logs?

Urbannal answered 6/11, 2019 at 7:52 Comment(0)

As answered, it may not work as expected

Tomcat's access log valve, this won't work, since Tomcat is unaware of Spring Security, which operates entirely within your application.

You may use a filter:

The easiest option would be to just add your own filter (e.g. in web.xml) after Spring Security, and dump the information you want

Other solution suggested in Config9, you may need to include the username as session attribute

Possibly this is not sufficient as common pattern already contains %u parameter. In this case I would recommend two additional steps:

1) Put user’s name into request session parameter, something like:
request.getSession().addAttribute("username", user.getName());
2) Add following parameter in access log pattern: %{username}s
server.tomcat.accesslog.pattern=%h %l %t %u %{username}s "%r" %s %b

Wegner answered 6/11, 2019 at 8:4 Comment(5)

Do you have some example how this filter should looks like in order to display to user? – Urbannal 6/11, 2019 at 8:27

@StiliyanVasilev see code-held.com/2019/05/09/… – Wegner 6/11, 2019 at 8:33

I have implement custom filter and try to print it in access logs via %{username}s and it work correctly. I also try to print logs with LogbackValve via %reqAttribute{username}, but it return “-“. Do you know how could I get username in LogbackValve scenario? – Urbannal 6/11, 2019 at 13:47

@StiliyanVasilev I currently don't know – Wegner 6/11, 2019 at 13:53

@StiliyanVasilev I think you can ask a new specific question about logging using LogbackValve with session attribute – Wegner 7/11, 2019 at 11:4

As @Ori Marko says, the Native web-container access logs can't display the user info since they do not have access to the Spring Security data.

I discovered this after upgrading to Spring Boot 3 - the only access logs I could find were the web-container logs (which were being written to a different location than before and didn't contain user info).

Turns out the inherited app I'm working on is using a plugin to produce access logs:

implementation group: "dev.akkinoc.spring.boot", name: "logback-access-spring-boot-starter", version: "4.2.0"

The logs from this plugin DO include the user info. The plugin is configured using the same properties as the native access logs (e.g. server.tomcat.accesslog.pattern)

However, the upgrade to Spring Boot 3 also needed this plugin to be updated. It silently stopped working.

Note also that the plugin is for logback but I'm sure there are other equivalent plugins for other logging frameworks.

Roussel answered 28/8 at 7:45 Comment(0)

Recommended topics

Hot tags