How to debug Spring Security authorization annotations?

Question

I have spring security application in which want to enable annotations security (pre and post authorization). I also have small sample application in which i have implemented it already. Everything works. But moving configs to main applications failed. There is no errors in console. But annotations do not work. It seems, they are not readed at all. All configuration and component versions are completely the same.

There are

<security:global-method-security secured-annotations="enabled" />

records in security-context and servlet-context. But neither @Controller methods no @Service methods are secured with annotation in main application.

How can i debug it?

Solved!

After switch from < global-method-security secured-annotations="enabled" /> to pre/post annotations works fine.

in working sample i see log record: INFO : org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser - Expressions were enabled. But in main application i cannot find it — Alexander, Feb 18 '15 at 10:11

score 17 · Answer 1 · answered Nov 28 '19 at 10:38

You can add to your application.yaml:

logging.level.org.springframework.security: DEBUG

Or add to application.properties:

logging.level.org.springframework.security=DEBUG

Or add to your WebSecurityConfig annotation EnableWebSecurity with debug = true:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  // ...
}

charybr · Accepted Answer · 2015-02-18T10:35:20.123

7

Set the log level of org.springframework.security to debug. On invoking the method with annotations, you can find log messages that indicate interceptor being applied, especially look for: DEBUG MethodSecurityInterceptor

Updated: That means there is some config difference between your sample app and main app Some pointers to look for:

the <global-method-security> tag needs to be in the same context as your Spring MVC configuration otherwise your controllers will not be post processed. Refer: http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-method-security-in-web-context
you might need pre-post-annotations="enabled", with expressionHandler set.
make sure tag <global-method-security> is in application context

edited Feb 18 '15 at 10:35

answered Feb 18 '15 at 07:53

charybr

1,888
24
29

in sample application i see MethodSecurityInterceptor and ExpressionBasedPostInvocationAdvice . but in main application there are no one of them (only intercept.FilterSecurityInterceptor). – Alexander Feb 18 '15 at 09:37
the question was, how can i debug the reasons annotations are not used. – Alexander Feb 18 '15 at 09:40
1

you are right! pre-post-annotations instead of secured works. – Alexander Feb 18 '15 at 11:25

lilalinux · Answer 3 · 2021-12-10T16:05:38.637

2

In case you just want to know, which method failed, simply set the logging level for this exception filter:

logging.level.org.springframework.security.web.access.ExceptionTranslationFilter: TRACE

It will only show the stack trace with the failed method and not spam your logs more than necessary ;-)

edited Dec 10 '21 at 16:05

answered May 05 '21 at 15:30

lilalinux

2,903
3
43
53

1

this is a good one actually, in well-maintained apps we don't want to see more than we need, I wonder why people just enable debug on the whole security package... but there are only `trace` logs, so it should be `: TRACE` – Artem Ptushkin Dec 10 '21 at 12:46

How to debug Spring Security authorization annotations?

3 Answers3