# Spring Security: Configure debug mode programmatically

# Introduction

If you have used Spring Security before, you will likely enable the debug mode at some point

```java
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration {
    // omit
}
```

Start the application and you will see the following logs

```plaintext
2023-07-14T23:13:12.247+08:00  INFO 17416 --- [  restartedMain] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 2822 ms
2023-07-14T23:13:12.546+08:00  WARN 17416 --- [  restartedMain] .s.s.UserDetailsServiceAutoConfiguration : 

Using generated security password: e636b35a-35c2-4df8-8404-8a51eb3bfdaa

This generated password is for development use only. Your security configuration must be updated before running your application in production.

2023-07-14T23:13:12.721+08:00  INFO 17416 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@4c6333b3, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7e78bb13, org.springframework.security.web.context.SecurityContextHolderFilter@500ccd39, org.springframework.security.web.header.HeaderWriterFilter@67b36e1e, org.springframework.security.web.csrf.CsrfFilter@547cf6f9, org.springframework.security.web.authentication.logout.LogoutFilter@6af43e35, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@784d6d5e, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@3e7757, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@55145899, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5aed1894, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@49d3c0d7, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@62359ec7, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@22520f84, org.springframework.security.web.access.ExceptionTranslationFilter@394bab9, org.springframework.security.web.access.intercept.AuthorizationFilter@665a6be5]
2023-07-14T23:13:12.754+08:00  WARN 17416 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : 

********************************************************************
**********        Security debugging is enabled.       *************
**********    This may include sensitive information.  *************
**********      Do not use in a production system!     *************
********************************************************************


2023-07-14T23:13:13.188+08:00  INFO 17416 --- [  restartedMain] o.s.b.d.a.OptionalLiveReloadServer       : LiveReload server is running on port 35729
```

What if you want to toggle the debug mode programmatically? It will be difficult to do so since it is configured at the annotation level. Is there any other way to configure it? Fortunately, yes! By using `WebSecurityCustomizer` class

```java
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.debug(true);
    }
}
```

That's great. Can it be better, such as toggling it via properties?

```java
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {
    @Value("${web.security.debug}")
    private boolean enableDebug;

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.debug(enableDebug);
    }
}
```

In `application.properties`, define the following property

```plaintext
web.security.debug=true
```

In production, it can also easily be toggled via the environment variable

```powershell
WEB_SECURITY_DEBUG: false
```

# **Conclusion**

We looked at how to simplify toggling of Spring Security debug mode through property or environment variable.

This is quite useful for me, as it reduces a chunk of logs when not required to see the extra information during runtime.

# **Source Code**

As usual, the full source code is available on [**GitHub**](https://github.com/bwgjoseph/tutorials/tree/main/spring-security-debug)
