Reputation: 189
User (%u) is missing from Tomcat Access Logs when using Spring Security
I run a sample Spring Security (hello world) web application in Apache Tomcat 8. What I'm trying to see is the user information in Tomcat Access Logs, but it looks that this information is not there. Example for access log entries:
0:0:0:0:0:0:0:1 - - [06/Nov/2019:09:41:57 +0200] "GET / HTTP/1.1" 200 422
0:0:0:0:0:0:0:1 - - [06/Nov/2019:09:41:59 +0200] "GET /hello HTTP/1.1" 200 83
The access log configuration in the Tomcat server.xml is:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="common" />
pattern="common" corresponds to the Common Log Format defined by '%h %l %u %t "%r" %s %b' as it is described here. Tomcat documentation also states:
%u - Remote user that was authenticated (if any), else '-'
Is there any additional configuration that I should apply to make the user visible in the access logs?
Upvotes: 6
Views: 2764
Answers (2)
Reputation: 1943
As @Ori Marko says, the Native web-container access logs can't display the user info since they do not have access to the Spring Security data.
I discovered this after upgrading to Spring Boot 3 - the only access logs I could find were the web-container logs (which were being written to a different location than before and didn't contain user info).
Turns out the inherited app I'm working on is using a plugin to produce access logs:
implementation group: "dev.akkinoc.spring.boot", name: "logback-access-spring-boot-starter", version: "4.2.0"
The logs from this plugin DO include the user info. The plugin is configured using the same properties as the native access logs (e.g. server.tomcat.accesslog.pattern)
However, the upgrade to Spring Boot 3 also needed this plugin to be updated. It silently stopped working.
Note also that the plugin is for logback but I'm sure there are other equivalent plugins for other logging frameworks.
Upvotes: 0
Reputation: 58862
As answered, it may not work as expected
Tomcat's access log valve, this won't work, since Tomcat is unaware of Spring Security, which operates entirely within your application.
You may use a filter:
The easiest option would be to just add your own filter (e.g. in web.xml) after Spring Security, and dump the information you want
Other solution suggested in Config9, you may need to include the username as session attribute
Possibly this is not sufficient as common pattern already contains %u parameter. In this case I would recommend two additional steps:
1) Put user’s name into request session parameter, something like:
request.getSession().addAttribute("username", user.getName());2) Add following parameter in access log pattern: %{username}s
server.tomcat.accesslog.pattern=%h %l %t %u %{username}s "%r" %s %b
Upvotes: 6
Related Questions
- Spring boot with embedded tomcat + access log with authentication user
- Tomcat 9 access log does not show the username (i.e. %u) logged-in via HttpSession + JSP + Servlet
- tomcat not creating access logs in springboot
- spring-security wrong logged user
- Spring Security authentication logging
- Spring Security, remote user, and Tomcat logs
- Why can't spring security get a username?
- How to disable spring security logging
- spring_security_last_username
- Conflict between spring security and basic authorization of Tomcat