我有一个带有 Spring Security 的应用程序,它当前不记录访问被拒绝的异常。我试图弄清楚我需要在我的 log4j 配置中更改什么设置以记录拒绝访问的异常。
我目前使用默认的org.springframework.security.web.access.AccessDeniedHandlerImpl 作为我的AccessDeniedHandler(带有一个errorPage 参数)。我是否需要创建替换或从现有的 AccessDeniedHandler 继承?或者是否有像 logExceptions = true 这样的设置可以添加到 AccessDeniedHandler 中?
或者是否有一些我需要更改的 log4j 记录器设置?我目前有以下设置:
log4j.logger.org.springframework.security=WARN
【问题讨论】:
标签: logging spring-security log4j
配置的日志级别太高。访问被拒绝的异常将被记录在级别DEBUG:
2018-07-18 16:15:09.802 DEBUG 30380 --- [ main] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
[..]
所以添加一个像org.springframework.security.web.access=DEBUG 这样的日志记录规则来查看它。
【讨论】: