Request body is empty when no authentication is present for secure APIs

Question

I am trying to log the request body on all requests in a spring boot reactive application secured with spring security. But I am running into an issue where the request body is logged only if the basic auth header is present (even if the username and password are invalid). But if no auth header is present the request body does not get logged. I am unsure what I am missing and would like to find out how I maybe able to get access to the request body for cases where there is no authentication header present.

The request body logging is done using an authentication entry point set on HttpBasicSpec. The security configuration looks as follows:

@Configuration
@EnableWebFluxSecurity
class SecurityConfiguration {

    private val logger = LoggerFactory.getLogger(this::class.java)

    @Bean
    fun securityConfigurationBean(http: ServerHttpSecurity) =
        http.csrf().disable()
                .cors().disable()
                .httpBasic()
                .authenticationEntryPoint { exchange, _ ->
                    exchange.request.body
                            .subscribe { logger.info(CharsetUtil.UTF_8.decode(it.asByteBuffer()).toString()) }
                            .let { Mono.error(HttpServerErrorException(HttpStatus.UNAUTHORIZED)) }
                }.and().authorizeExchange().anyExchange().authenticated().and().build()
}

There is a test router config that has a one route:

@Configuration
class TestRouterConfig {

    @Bean
    fun testRoutes() =
            router {
                POST("/test") {
                    ServerResponse.ok().bodyValue("This is a test route")
                }
            }
}

When I make a request to http:localhost:8080/test with a request body of

{"sample": "sample"}

with an invalid username and password in the basic auth header, I see the following in the console:

2019-12-06 11:51:18.175  INFO 11406 --- [ctor-http-nio-2] uration$$EnhancerBySpringCGLIB$$5b5f0067 : {"sample": "sample"}

But when I remove authentication all together I don't see the above logging statement for the same endpoint (I am using a rest client to make these calls).

The versions of tools/frameworks/languages:

Kotlin: 1.3.50

Spring boot: 2.2.1

Java: 12

Gradle: 5.6.4

Spring dependency management: 1.0.8.RELEASE

I would like to be able to log the request body for all requests that result in an authentication failure including the absence of an authentication header and would appreciate any help in this regard. My apologies if this has been discussed/posted elsewhere.

Thank you!

i don't know kotlin but I think your problem resides in the fact that your log statement is inside `authenticationEntryPoint` that is called when your authentication process starts. So if you send a request without basic auth data, Spring understand that the auth process can't start and it does not enter in the `authenticationEntryPoint`. Investigating in this direction could be a good way to solve your problem — firegloves, Dec 06 '19 at 08:51
Thank you! I also tried adding an authenticationFilter to the ExceptionHandlingSpec but that did not seem to print the body either. So I am not sure how to hook into spring security's ecosystem so that I can access the request body. — Janani Subbiah, Dec 06 '19 at 12:49
look at this https://www.baeldung.com/spring-security-custom-filter — firegloves, Dec 06 '19 at 13:37
I will definitely let you know if I find a solution! I have a logger webfilter that logs responses twice if I try to change the order of execution. I am just looking for a way to capture the request body when there is an exception (for logging it). I would have thought that irrespective of the auth header (including if the auth header is present or not), the request body would be available but I am obviously missing something :( — Janani Subbiah, Dec 09 '19 at 03:53

Request body is empty when no authentication is present for secure APIs

0 Answers0