How to debug Spring Security authorization annotations?

C

4

19

I have spring security application in which want to enable annotations security (pre and post authorization). I also have small sample application in which i have implemented it already. Everything works. But moving configs to main applications failed. There is no errors in console. But annotations do not work. It seems, they are not readed at all. All configuration and component versions are completely the same.

There are

<security:global-method-security secured-annotations="enabled" />

records in security-context and servlet-context. But neither @Controller methods no @Service methods are secured with annotation in main application.

How can i debug it?

Solved!

After switch from < global-method-security secured-annotations="enabled" /> to pre/post annotations works fine.

Copybook answered 18/2, 2015 at 7:31 Comment(2)

in working sample i see log record: INFO : org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser - Expressions were enabled. But in main application i cannot find it – Copybook 18/2, 2015 at 10:11

sts marks with "5 Spring AOP marker at this line" <security:global-method-security secured-annotations="enabled" /> line – Copybook 18/2, 2015 at 10:34

U

8

Set the log level of org.springframework.security to debug. On invoking the method with annotations, you can find log messages that indicate interceptor being applied, especially look for: DEBUG MethodSecurityInterceptor

Updated: That means there is some config difference between your sample app and main app Some pointers to look for:

the <global-method-security> tag needs to be in the same context as your Spring MVC configuration otherwise your controllers will not be post processed. Refer: http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-method-security-in-web-context
you might need pre-post-annotations="enabled", with expressionHandler set.
make sure tag <global-method-security> is in application context

Utilitarian answered 18/2, 2015 at 7:53 Comment(3)

in sample application i see MethodSecurityInterceptor and ExpressionBasedPostInvocationAdvice . but in main application there are no one of them (only intercept.FilterSecurityInterceptor). – Copybook 18/2, 2015 at 9:37

the question was, how can i debug the reasons annotations are not used. – Copybook 18/2, 2015 at 9:40

you are right! pre-post-annotations instead of secured works. – Copybook 18/2, 2015 at 11:25

G

18

You can add to your application.yaml:

logging.level.org.springframework.security: DEBUG

Or add to application.properties:

logging.level.org.springframework.security=DEBUG

Or add to your WebSecurityConfig annotation EnableWebSecurity with debug = true:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  // ...
}

Greave answered 28/11, 2019 at 10:38 Comment(0)

U

8

Set the log level of org.springframework.security to debug. On invoking the method with annotations, you can find log messages that indicate interceptor being applied, especially look for: DEBUG MethodSecurityInterceptor

Updated: That means there is some config difference between your sample app and main app Some pointers to look for:

the <global-method-security> tag needs to be in the same context as your Spring MVC configuration otherwise your controllers will not be post processed. Refer: http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-method-security-in-web-context
you might need pre-post-annotations="enabled", with expressionHandler set.
make sure tag <global-method-security> is in application context

Utilitarian answered 18/2, 2015 at 7:53 Comment(3)

in sample application i see MethodSecurityInterceptor and ExpressionBasedPostInvocationAdvice . but in main application there are no one of them (only intercept.FilterSecurityInterceptor). – Copybook 18/2, 2015 at 9:37

the question was, how can i debug the reasons annotations are not used. – Copybook 18/2, 2015 at 9:40

you are right! pre-post-annotations instead of secured works. – Copybook 18/2, 2015 at 11:25

D

2

In case you just want to know, which method failed, simply set the logging level for this exception filter:

logging.level.org.springframework.security.web.access.ExceptionTranslationFilter: TRACE

It will only show the stack trace with the failed method and not spam your logs more than necessary ;-)

Dickenson answered 5/5, 2021 at 15:30 Comment(1)

this is a good one actually, in well-maintained apps we don't want to see more than we need, I wonder why people just enable debug on the whole security package... but there are only trace logs, so it should be : TRACE – Iinde 10/12, 2021 at 12:46

M

1

Yes, logging.level.org.springframework.security: DEBUG in application is good, but it was not enough in my case. I wanted to see variable types and other details. Here is what I did.

I created the file

package com.mycompany.myproject.security;

public final class CheckAuthorization {

    public static boolean check(Object obj1, Object obj2) {
        // Put a breakpoint here (in the next line) and run the application in debug mode
        return true;
    }
}

then, In my controller, I put

    @PreAuthorize("T(com.mycompany.myproject.security.CheckAuthorization).check(authentication.principal, #request)")
    @GetMapping
    PageResponse<FormUpdateDto> list(@Valid FormListRequestDto request);

Interacting with the endpoint, I was able to see the types and other details. You can then change the preauthorize back again.

Margarettemargarida answered 23/2 at 22:12 Comment(0)

Recommended topics

Hot tags