logbook icon indicating copy to clipboard operation
logbook copied to clipboard

Published 20 hours ago verified publisher icon zalando

Logbook with SpringBoot + Spring security 2.7.x fails to log unauthorized or forbidden responses

Open gilles-gardet opened this issue 8 months ago • 0 comments

When using logbook 3.9.0 with the latest Springboot 2.7.x release the HTTP error responses returned by Spring security are not part of the logs anymore.

Description

Until recently we were using logbook 2.16.0 which was working very well with our Spring servlet stack (Springboot + Spring security 2.7.18). We recently decided to jump from logbook 2.xx.x to 3.x.x But now the errors handled by Spring security are not logged anymore.

To be noticed that I don't have the same behaviour if I upgrade my demo project to springboot & security 3.3.x where everything works as expected. It's not an option for us to migrate to Springboot 3.x.x at the moment.

Maybe it's a misconfiguration (or misreading of the documentation) on our side, but I already double checked and our implementation looks good to me (at least accordingly to the logbook's documentation about spring 5 and springboot-starter).

Expected Behavior

  • if it's an actual bug then HTTP error responses returned by Spring security should be logged by logbook.
  • if it's not a bug then the documentation should be improved to help the user to properly implement logbook with the stack I specified earlier (if it's still supported by the logbook team of course).

Actual Behavior

Nothing is logged when Spring Security returns 401 or 403.

Steps to Reproduce

  1. specify logbook-spring-boot-starter & logbook-servlet (javax) version 3.9.0 into you pom.xml file as well as spring-boot-starter-parent & spring-boot-starter-security to version 2.18.0
  2. set logs level using logback
  3. set logbook.secure-filter.enabled & logbook.filter.enabled properties to true (should not be needed) into the application properties
  4. protect an endpoint using spring security with authentication (should not be needed as it's the default behaviour)
  5. run an unauthenticated request against this endpoint using an HTTP client (curl or whatever), an error should be thrown by default
  6. check logs => error response should not be there
  7. run the same request with a valid basic authentication => success response should have been logged

or

clone the given demo project and follow steps 5 to 7.

Context

Since we are not able to log HTTP errors we can't provide metrics about forbidden/unauthorized responses (without extra work).

Your Environment

  • Version used: 3.9.0
  • Link to your project: https://github.com/gilles-gardet/logbook-error

gilles-gardet avatar Jun 20 '24 12:06 gilles-gardet