How can I turn on debug or trace level logging for the Spring Security SAML Sample app? Specifically, I want logging for this non-Spring Boot "Java Configuration" saml2/login sample app:
https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/saml2/login
I'm using Tomcat, and I expect to see it logging to the catalina.out log file. If it's logged somewhere else, I'll take it wherever.
What I'm not using:
I'm not using the Spring Boot samples, under /servlet/spring-boot/java/saml2
.
I'm not using the old end-of-life Spring Security SAML Extension:
https://github.com/spring-projects/spring-security-saml
So, my Gradle dependencies are using the org.springframework.security:spring-security-saml2-service-provider
(not the older org.springframework.security.extensions:spring-security-saml2-core
).
The sample app project includes the file /resources/logback.xml
, but it does not appear to be used. It's set to root level="TRACE"
already, but nothing is being logged.
I saw this logged in Tomcat:
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
So, I added this dependency:
implementation 'org.slf4j:slf4j-simple:1.7.30'
And, for my SecurityConfiguration class I set debug in this annotation:
@EnableWebSecurity(debug = true)
Now, with those two changes I do get some logging. But, I want more. This doesn't give me any SAML details. I want to see both SAMLRequest and SAMLResponse details. I want to see who the user is and their attributes, and any errors.
For example, in the browser Spring Security was responding with a page that said "Invalid credentials" after logging in at the IdP, but nothing was being logged about it, even with debug = true
set. Looking at the SAMLResponse xml from the IdP in the browser, the IdP was happy and was not reporting invalid credentials. It turned out I had old session cookies that was confusing something, and deleting my cookies cleared the error, but it would have been nice to see something about that in the logs.
Spring Security SAML uses OpenSAML, so perhaps it's not Spring Security logging that I need to turn on, but OpenSAML.
I got logging to work. Instead of adding the slf4j dependency, I added logback to the build.gradle file:
implementation 'ch.qos.logback:logback-classic:1.2.11'
Then the app uses the resources/logback.xml file. To that I added these tags:
<logger name="org.springframework.security" level="DEBUG"/>
<logger name="org.springframework.security.saml2" level="TRACE" />
<logger name="org.springframework.security.authentication" level="TRACE" />
<logger name="org.springframework.security.authorization" level="TRACE" />
<logger name="org.opensaml" level="INFO" />
<logger name="org.opensaml.saml" level="TRACE" />
This provides the SAML details I was hoping for.