1

How can I turn on debug or trace level logging for the Spring Security SAML Sample app? Specifically, I want logging for this non-Spring Boot "Java Configuration" saml2/login sample app:
https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/saml2/login

I'm using Tomcat, and I expect to see it logging to the catalina.out log file. If it's logged somewhere else, I'll take it wherever.

What I'm not using:
I'm not using the Spring Boot samples, under /servlet/spring-boot/java/saml2.
I'm not using the old end-of-life Spring Security SAML Extension:
https://github.com/spring-projects/spring-security-saml
So, my Gradle dependencies are using the org.springframework.security:spring-security-saml2-service-provider (not the older org.springframework.security.extensions:spring-security-saml2-core).

The sample app project includes the file /resources/logback.xml, but it does not appear to be used. It's set to root level="TRACE" already, but nothing is being logged.

I saw this logged in Tomcat:

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".

So, I added this dependency:

implementation 'org.slf4j:slf4j-simple:1.7.30'

And, for my SecurityConfiguration class I set debug in this annotation:

@EnableWebSecurity(debug = true)

Now, with those two changes I do get some logging. But, I want more. This doesn't give me any SAML details. I want to see both SAMLRequest and SAMLResponse details. I want to see who the user is and their attributes, and any errors.

For example, in the browser Spring Security was responding with a page that said "Invalid credentials" after logging in at the IdP, but nothing was being logged about it, even with debug = true set. Looking at the SAMLResponse xml from the IdP in the browser, the IdP was happy and was not reporting invalid credentials. It turned out I had old session cookies that was confusing something, and deleting my cookies cleared the error, but it would have been nice to see something about that in the logs.

Spring Security SAML uses OpenSAML, so perhaps it's not Spring Security logging that I need to turn on, but OpenSAML.

tbird
  • 123
  • 10
  • Does this answer your question? [How do I enable logging for Spring Security?](https://stackoverflow.com/questions/30855252/how-do-i-enable-logging-for-spring-security) – Toerktumlare May 09 '22 at 18:33
  • No. I did the `@EnableWebSecurity(debug = true)` suggested there. The application.properties change didn't do anything. – tbird May 09 '22 at 18:45
  • `logging.level.org.springframework.security=DEBUG` look at what the string looks like... you turn on logging per `PACKAGE` this is exaplined in the spring documentation. so `logging.level.mypackagename=debug` – Toerktumlare May 09 '22 at 20:23
  • I created `/resources/application.properties` and added these to no effect: `logging.level.root=DEBUG` `logging.level.org.springframework.web=DEBUG` `logging.level.org.springframework.security=DEBUG` `logging.level.org.springframework.security.saml=DEBUG` `logging.level.org.opensaml.xmlsec=TRACE`. What else do I need to do? – tbird May 09 '22 at 20:59
  • then there is clearly something in your setup and it is impossible for us to reproduce with the information given. – Toerktumlare May 09 '22 at 21:14
  • I suspect those would work if I was using Spring Boot, which I'm not. I'm using the "Java Configuration" sample as-is and Tomcat is also unmodified, so I don't know what would be special about my setup. I was hoping someone here might know or have experience with logging in the sample I'm using. – tbird May 09 '22 at 21:33

1 Answers1

3

I got logging to work. Instead of adding the slf4j dependency, I added logback to the build.gradle file:

implementation 'ch.qos.logback:logback-classic:1.2.11'

Then the app uses the resources/logback.xml file. To that I added these tags:

<logger name="org.springframework.security" level="DEBUG"/>
<logger name="org.springframework.security.saml2" level="TRACE" />
<logger name="org.springframework.security.authentication" level="TRACE" />
<logger name="org.springframework.security.authorization" level="TRACE" />
<logger name="org.opensaml" level="INFO" />
<logger name="org.opensaml.saml" level="TRACE" />

This provides the SAML details I was hoping for.

tbird
  • 123
  • 10