User (%u) is missing from Tomcat Access Logs when using Spring Security

Question

I run a sample Spring Security (hello world) web application in Apache Tomcat 8. What I'm trying to see is the user information in Tomcat Access Logs, but it looks that this information is not there. Example for access log entries:

0:0:0:0:0:0:0:1 - - [06/Nov/2019:09:41:57 +0200] "GET / HTTP/1.1" 200 422
0:0:0:0:0:0:0:1 - - [06/Nov/2019:09:41:59 +0200] "GET /hello HTTP/1.1" 200 83

The access log configuration in the Tomcat server.xml is:

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="common" />

pattern="common" corresponds to the Common Log Format defined by '%h %l %u %t "%r" %s %b' as it is described here. Tomcat documentation also states:

%u - Remote user that was authenticated (if any), else '-'

Is there any additional configuration that I should apply to make the user visible in the access logs?

Answer 1

As answered, it may not work as expected

Tomcat's access log valve, this won't work, since Tomcat is unaware of Spring Security, which operates entirely within your application.

You may use a filter:

The easiest option would be to just add your own filter (e.g. in web.xml) after Spring Security, and dump the information you want

Other solution suggested in Config9, you may need to include the username as session attribute

Possibly this is not sufficient as common pattern already contains %u parameter. In this case I would recommend two additional steps:

1) Put user’s name into request session parameter, something like:

request.getSession().addAttribute("username", user.getName());

2) Add following parameter in access log pattern: %{username}s

server.tomcat.accesslog.pattern=%h %l %t %u %{username}s "%r" %s %b