-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide debug logs if http-method (POST) rejected with 401 when CSRF (default) enabled #7473
Comments
Related to #6311 |
@jzheaux thanks. Let me put some more background for this enhancement request. It's not technical. I write this up to hopefully explain why I believe this enhancement could be helpful. It started from POST failed with 401.
Adds all these some time together, it took quit some time to get over this. And I guess a server side log to tell "POST not supported when CSRF enabled" with source from |
Hello @dopsun. I've tried to simulate the problem:
The logs showed me exactly what happened when enabling DEBUG.
The 401 status code comes because Spring Boot redirects to the I'm closing this as invalid but if I missed something, please let's discuss. |
Hello @marcusdacoregio could you please provide an example using Maven project? |
Hi @Bharghav1, do you mean enabling the logs? If you are using Spring Boot, you can just add |
Thank you @marcusdacoregio , I was looking for csrfFilter loggings but I just saw a comment to add below line too in properties file, Hope this works. I'm trying now. |
I still couldn't see the below trace, @marcusdacoregio could you please guide to what I should do to see similar trace like below? DEBUG 19462 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing POST / |
What version of Spring Security are you using? Those logs are available from version 5.4 onwards. |
Version 5.6.1, actually its s huge codebase, all I am trying to view the logs when a 403 error is generated for a failed crsf token validation. I tried all the patterns for application.properties but couldnt get a trace like above. This is what I am using in the application.properties file, log4j.logger.org.springframework.security=DEBUG |
Without a sample, it's hard to know what is really happening. The best way to know if the logs are being generated is to put a breakpoint here and check if the code is executed. |
Hi @marcusdacoregio I figured a way via log4j properties file, it was not working via application.properties file but through log4j properties file it's working. |
I'm glad that you found a solution! |
Summary
By default, Spring Boot web application with CSRF enabled, unless doing
http.csrf().disabled()
explicitly. HTTP POST to RESTful API with basic authentication, will be rejected as401 UNAUTHORIZED
. And server side, no specific logging even after enabling debug output.Propose to provide debug logs in CsrfFilter after matches in Line 196 failed.
Actual Behavior
Client side receives 401 status code, and server side no specific logs.
Expected Behavior
Server side provides debug log "POST is not supported while CSRF enabled" or alike, to help developers trouble shoot.
Configuration
See Sample.
Version
5.1.6.RELEASE
Sample
The text was updated successfully, but these errors were encountered: