我有一个带有 Spring Security 的应用程序,它目前不记录访问被拒绝的异常。我试图弄清楚我需要在我的 log4j 配置中更改什么设置才能记录访问被拒绝的异常。
我目前使用的是默认 org.springframework.security.web.access.AccessDeniedHandlerImpl作为我的 AccessDeniedHandler(带有一个用于 errorPage 的参数)。我是否需要创建一个替代品或从现有的 AccessDeniedHandler 继承?或者是否有像 logExceptions = true 这样的设置可以添加到 AccessDeniedHandler 中?
或者是否有一些我需要更改的 log4j 记录器设置?我目前有以下设置:
log4j.logger.org.springframework.security=WARN
最佳答案
配置的日志级别太高。访问被拒绝的异常将记录在级别 DEBUG :
2018-07-18 16:15:09.802 DEBUG 30380 --- [ main] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
[..]
所以添加一个日志规则,如
org.springframework.security.web.access=DEBUG看见了。
关于logging - Spring Security 日志记录访问被拒绝异常,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26845952/