Table of contents
Introduction
If you have used Spring Security before, you will likely enable the debug mode at some point
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration {
// omit
}
Start the application and you will see the following logs
2023-07-14T23:13:12.247+08:00 INFO 17416 --- [ restartedMain] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 2822 ms
2023-07-14T23:13:12.546+08:00 WARN 17416 --- [ restartedMain] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: e636b35a-35c2-4df8-8404-8a51eb3bfdaa
This generated password is for development use only. Your security configuration must be updated before running your application in production.
2023-07-14T23:13:12.721+08:00 INFO 17416 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@4c6333b3, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7e78bb13, org.springframework.security.web.context.SecurityContextHolderFilter@500ccd39, org.springframework.security.web.header.HeaderWriterFilter@67b36e1e, org.springframework.security.web.csrf.CsrfFilter@547cf6f9, org.springframework.security.web.authentication.logout.LogoutFilter@6af43e35, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@784d6d5e, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@3e7757, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@55145899, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5aed1894, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@49d3c0d7, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@62359ec7, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@22520f84, org.springframework.security.web.access.ExceptionTranslationFilter@394bab9, org.springframework.security.web.access.intercept.AuthorizationFilter@665a6be5]
2023-07-14T23:13:12.754+08:00 WARN 17416 --- [ restartedMain] o.s.s.c.a.web.builders.WebSecurity :
********************************************************************
********** Security debugging is enabled. *************
********** This may include sensitive information. *************
********** Do not use in a production system! *************
********************************************************************
2023-07-14T23:13:13.188+08:00 INFO 17416 --- [ restartedMain] o.s.b.d.a.OptionalLiveReloadServer : LiveReload server is running on port 35729
What if you want to toggle the debug mode programmatically? It will be difficult to do so since it is configured at the annotation level. Is there any other way to configure it? Fortunately, yes! By using WebSecurityCustomizer
class
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.debug(true);
}
}
That's great. Can it be better, such as toggling it via properties?
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {
@Value("${web.security.debug}")
private boolean enableDebug;
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.debug(enableDebug);
}
}
In application.properties
, define the following property
web.security.debug=true
In production, it can also easily be toggled via the environment variable
WEB_SECURITY_DEBUG: false
Conclusion
We looked at how to simplify toggling of Spring Security debug mode through property or environment variable.
This is quite useful for me, as it reduces a chunk of logs when not required to see the extra information during runtime.
Source Code
As usual, the full source code is available on GitHub