Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logbook with SpringBoot + Spring security 2.7.x fails to log unauthorized or forbidden responses #1864

Open
gilles-gardet opened this issue Jun 20, 2024 · 0 comments
Open

Logbook with SpringBoot + Spring security 2.7.x fails to log unauthorized or forbidden responses #1864

gilles-gardet opened this issue Jun 20, 2024 · 0 comments
Labels
Bug

Comments

@gilles-gardet
Copy link

gilles-gardet commented Jun 20, 2024
edited
Loading

When using logbook 3.9.0 with the latest Springboot 2.7.x release the HTTP error responses returned by Spring security are not part of the logs anymore.

Description

Until recently we were using logbook 2.16.0 which was working very well with our Spring servlet stack (Springboot + Spring security 2.7.18).
We recently decided to jump from logbook 2.xx.x to 3.x.x
But now the errors handled by Spring security are not logged anymore.

To be noticed that I don't have the same behaviour if I upgrade my demo project to springboot & security 3.3.x where everything works as expected.
It's not an option for us to migrate to Springboot 3.x.x at the moment.

Maybe it's a misconfiguration (or misreading of the documentation) on our side, but I already double checked and our implementation looks good to me (at least accordingly to the logbook's documentation about spring 5 and springboot-starter).

Expected Behavior

  • if it's an actual bug then HTTP error responses returned by Spring security should be logged by logbook.
  • if it's not a bug then the documentation should be improved to help the user to properly implement logbook with the stack I specified earlier (if it's still supported by the logbook team of course).

Actual Behavior

Nothing is logged when Spring Security returns 401 or 403.

Steps to Reproduce

  1. specify logbook-spring-boot-starter & logbook-servlet (javax) version 3.9.0 into you pom.xml file as well as spring-boot-starter-parent & spring-boot-starter-security to version 2.18.0
  2. set logs level using logback
  3. set logbook.secure-filter.enabled & logbook.filter.enabled properties to true (should not be needed) into the application properties
  4. protect an endpoint using spring security with authentication (should not be needed as it's the default behaviour)
  5. run an unauthenticated request against this endpoint using an HTTP client (curl or whatever), an error should be thrown by default
  6. check logs => error response should not be there
  7. run the same request with a valid basic authentication => success response should have been logged

or

clone the given demo project and follow steps 5 to 7.

Context

Since we are not able to log HTTP errors we can't provide metrics about forbidden/unauthorized responses (without extra work).

Your Environment
@gilles-gardet gilles-gardet changed the title Logbook with SpringBoot + Spring security 2.7.x fails to log unauthorized or forbidden requests Logbook with SpringBoot + Spring security 2.7.x fails to log unauthorized or forbidden responses Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gilles-gardet