Disable Spring Security Logging

Question

We are using Custom Filter to do our authentication.

Our Custom Filter extends from BasicAuthenticationFilter. We are using only Basic Authentication In our application. We did it like that, because we wanted to handle different authentication scenarios in our authentication entry point.

Whenever an API is invoked our Filter kicks in, which is causing lot of logs to be printed on console. These logs are itself coming from the BasicAuthenticationFilter.class (Which our Filter has extended)

if (this.authenticationIsRequired(username)) {
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, tokens[1]);
                authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
                Authentication authResult = this.authenticationManager.authenticate(authRequest);
                if (debug) {
                    this.logger.debug("Authentication success: " + authResult);
                }

                SecurityContextHolder.getContext().setAuthentication(authResult);
                this.rememberMeServices.loginSuccess(request, response, authResult);
                this.onSuccessfulAuthentication(request, response, authResult);
            }

Is it possible to avoid this logging, without having to actually override the function.

Answer 1

In springboot the logging level can be set as TRACE, DEBUG, INFO, WARN, ERROR, FATAL, or OFF . Setting the following in application.yml or application.properties can configure the root logger level:

logging.level.root=warn

Apart from that springboot also allows setting logging levels according to the group or class.

It's often useful to be able to group related loggers together so that they can all be configured at the same time. For example, you might commonly change the logging levels for all Tomcat related loggers, but you can't easily remember top level packages.

To help with this, Spring Boot allows you to define logging groups in your Spring Environment. For example, here's how you could define a “tomcat” group by adding it to your application.properties:

logging.group.tomcat=org.apache.catalina, org.apache.coyote, org.apache.tomcat

Actually springbobot provides us the capability to set the logging levels for classes. So in your case you could set the logging level for your Filter class as ERROR so that unwanted logs are not generated from it or set it to OFF . Another way is to turn off logging for your entire spring security group(this is not recommended as you may loose a lot of logs that might be useful):

logging.level.com.security.BasicAuthenticationFilter=ERROR

Read Doc

Answer 2

There are multiple ways to handle same

From command line

-Dlogging.level.org.springframework.security.web.authentication.www=OFF

From Logger configuration

you can set various log level to different classes, turn off logging for desired class

As per Spring page here 26.4 Log Levels

All the supported logging systems can have the logger levels set in the Spring Environment (for example, in application.properties) by using logging.level.= where level is one of TRACE, DEBUG, INFO, WARN, ERROR, FATAL, or OFF. The root logger can be configured by using logging.level.root.

Read the tutorial in details here