Removing a log from Spring Security authentication logging

Question

In AbstractUserDetailsAuthenticationProvider.class we have a method AbstractUserDetailsAuthenticationProvider.authenticate, a BadCredentialsException is thrown if the username is not found:

    try {
        user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
    } catch (UsernameNotFoundException notFound) {
        ***logger.debug("User '" + username + "' not found");***

        if (hideUserNotFoundExceptions) {
            throw new BadCredentialsException(messages.getMessage(
                    "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
        } else {
            throw notFound;
        }
    }

What to do in case I don't want to log the error message logger.debug("User '" + username + "' not found") as it is a security vulnerability (if a user accidentally enters password in username then it gets logged).

score 1 · Accepted Answer · answered May 05 '18 at 12:09

Generally when you run your application in production you shouldn't run with the overall logging level to debug, see this answer about which ones to use.

However, you could configure the logging level of this class to be something less verbose than debug, like info. This way it wouldn't log the User x not found entry.

To set log levels of individual classes (implementation dependant), see this answer.

Removing a log from Spring Security authentication logging

1 Answers1