Add debug logging

Goal is to provide insight to devs on:
- Authentication & Authorization success/failures
- WebSession & SecurityContext
- Request matchers, cache & authn/authz flow

Fixes gh-5758

Author: mouellet

web/src/main/java/org/springframework/security/web/server/DefaultServerRedirectStrategy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.server;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.server.reactive.ServerHttpResponse;
 import org.springframework.util.Assert;
@@ -28,9 +30,11 @@
  * The default {@link ServerRedirectStrategy} to use.
  *
  * @author Rob Winch
+ * @author Mathieu Ouellet
  * @since 5.0
  */
 public class DefaultServerRedirectStrategy implements ServerRedirectStrategy {
+	private static final Log logger = LogFactory.getLog(DefaultServerRedirectStrategy.class);
 	private HttpStatus httpStatus = HttpStatus.FOUND;
 
 	private boolean contextRelative = true;
@@ -41,7 +45,11 @@ public Mono<Void> sendRedirect(ServerWebExchange exchange, URI location) {
 		return Mono.fromRunnable(() -> {
 			ServerHttpResponse response = exchange.getResponse();
 			response.setStatusCode(this.httpStatus);
-			response.getHeaders().setLocation(createLocation(exchange, location));
+			URI newLocation = createLocation(exchange, location);
+			if (logger.isDebugEnabled()) {
+				logger.debug("Redirecting to '" + newLocation + "'");
+			}
+			response.getHeaders().setLocation(newLocation);
 		});
 	}
 

web/src/main/java/org/springframework/security/web/server/DelegatingServerAuthenticationEntryPoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.server;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.util.Assert;
 import reactor.core.publisher.Flux;
@@ -33,10 +35,13 @@
  * on a {@link ServerWebExchangeMatcher}
  *
  * @author Rob Winch
+ * @author Mathieu Ouellet
  * @since 5.0
  */
 public class DelegatingServerAuthenticationEntryPoint
 	implements ServerAuthenticationEntryPoint {
+	private static final Log logger = LogFactory.getLog(DelegatingServerAuthenticationEntryPoint.class);
+
 	private final List<DelegateEntry> entryPoints;
 
 	private ServerAuthenticationEntryPoint defaultEntryPoint = (exchange, e) -> {
@@ -61,12 +66,26 @@ public Mono<Void> commence(ServerWebExchange exchange,
 				.filterWhen( entry -> isMatch(exchange, entry))
 				.next()
 				.map( entry -> entry.getEntryPoint())
-				.defaultIfEmpty(this.defaultEntryPoint)
+				.doOnNext(it -> {
+					if (logger.isDebugEnabled()) {
+						logger.debug("Match found! Executing " + it);
+					}
+				})
+				.switchIfEmpty(Mono.just(this.defaultEntryPoint)
+					.doOnNext(it -> {
+						if (logger.isDebugEnabled()) {
+							logger.debug("No match found. Using default entry point " + defaultEntryPoint);
+						}
+					})
+				)
 				.flatMap( entryPoint -> entryPoint.commence(exchange, e));
 	}
 
 	private Mono<Boolean> isMatch(ServerWebExchange exchange, DelegateEntry entry) {
 		ServerWebExchangeMatcher matcher = entry.getMatcher();
+		if (logger.isDebugEnabled()) {
+			logger.debug("Trying to match using " + matcher);
+		}
 		return matcher.matches(exchange)
 			.map( result -> result.isMatch());
 	}

web/src/main/java/org/springframework/security/web/server/authentication/AnonymousAuthenticationWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,8 @@
 
 import java.util.List;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import reactor.core.publisher.Mono;
 
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
@@ -37,12 +39,11 @@
  * {@code ReactiveSecurityContextHolder}, and populates it with one if needed.
  *
  * @author Ankur Pathak
+ * @author Mathieu Ouellet
  * @since 5.2.0
  */
 public class AnonymousAuthenticationWebFilter implements WebFilter {
-	// ~ Instance fields
-	// ================================================================================================
-
+	private static final Log logger = LogFactory.getLog(AnonymousAuthenticationWebFilter.class);
 	private String key;
 	private Object principal;
 	private List<GrantedAuthority> authorities;
@@ -72,18 +73,25 @@ public AnonymousAuthenticationWebFilter(String key, Object principal,
 		this.authorities = authorities;
 	}
 
-
 	@Override
 	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 		return ReactiveSecurityContextHolder.getContext()
 				.switchIfEmpty(Mono.defer(() -> {
-						SecurityContext securityContext = new SecurityContextImpl();
-						securityContext.setAuthentication(createAuthentication(exchange));
+						Authentication authentication = createAuthentication(exchange);
+						SecurityContext securityContext = new SecurityContextImpl(authentication);
+						if (logger.isDebugEnabled()) {
+							logger.debug("Populated SecurityContext with anonymous token: '" + authentication + "'");
+						}
 						return chain.filter(exchange)
 								.subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContext)))
 								.then(Mono.empty());
-				})).flatMap(securityContext -> chain.filter(exchange));
-
+				}))
+				.flatMap(securityContext -> {
+					if (logger.isDebugEnabled()) {
+						logger.debug("SecurityContext contains anonymous token: '" + securityContext.getAuthentication() + "'");
+					}
+					return chain.filter(exchange);
+				});
 	}
 
 	protected Authentication createAuthentication(ServerWebExchange exchange) {

web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@
 
 import java.util.function.Function;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import reactor.core.publisher.Mono;
 
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
@@ -65,9 +67,11 @@
  *
  * @author Rob Winch
  * @author Rafiullah Hamedy
+ * @author Mathieu Ouellet
  * @since 5.0
  */
 public class AuthenticationWebFilter implements WebFilter {
+	private static final Log logger = LogFactory.getLog(AuthenticationWebFilter.class);
 	private final ReactiveAuthenticationManagerResolver<ServerWebExchange> authenticationManagerResolver;
 
 	private ServerAuthenticationSuccessHandler authenticationSuccessHandler = new WebFilterChainServerAuthenticationSuccessHandler();
@@ -116,6 +120,11 @@ private Mono<Void> authenticate(ServerWebExchange exchange,
 			.flatMap(authenticationManager -> authenticationManager.authenticate(token))
 			.switchIfEmpty(Mono.defer(() -> Mono.error(new IllegalStateException("No provider found for " + token.getClass()))))
 			.flatMap(authentication -> onAuthenticationSuccess(authentication, webFilterExchange))
+			.doOnError(AuthenticationException.class, e -> {
+				if (logger.isDebugEnabled()) {
+					logger.debug("Authentication failed: " + e.getMessage());
+				}
+			})
 			.onErrorResume(AuthenticationException.class, e -> this.authenticationFailureHandler
 				.onAuthenticationFailure(webFilterExchange, e));
 	}

web/src/main/java/org/springframework/security/web/server/authentication/logout/LogoutWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.server.authentication.logout;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import reactor.core.publisher.Mono;
 
 import org.springframework.http.HttpMethod;
@@ -36,9 +38,12 @@
  * {@link ServerLogoutHandler}.
  *
  * @author Rob Winch
+ * @author Mathieu Ouellet
  * @since 5.0
  */
 public class LogoutWebFilter implements WebFilter {
+	private static final Log logger = LogFactory.getLog(LogoutWebFilter.class);
+
 	private AnonymousAuthenticationToken anonymousAuthenticationToken = new AnonymousAuthenticationToken("key", "anonymous",
 		AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
@@ -69,6 +74,10 @@ private Mono<Authentication> flatMapAuthentication(ServerWebExchange exchange) {
 	}
 
 	private Mono<Void> logout(WebFilterExchange webFilterExchange, Authentication authentication) {
+		if (logger.isDebugEnabled()) {
+			logger.debug("Logging out user '" + authentication
+					+ "' and transferring to logout destination");
+		}
 		return this.logoutHandler.logout(webFilterExchange, authentication)
 			.then(this.logoutSuccessHandler
 				.onLogoutSuccess(webFilterExchange, authentication))

web/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,9 @@
  */
 package org.springframework.security.web.server.authorization;
 
-
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.core.context.SecurityContext;
@@ -28,21 +30,33 @@
 /**
  *
  * @author Rob Winch
+ * @author Mathieu Ouellet
  * @since 5.0
  */
 public class AuthorizationWebFilter implements WebFilter {
-	private ReactiveAuthorizationManager<? super ServerWebExchange> accessDecisionManager;
+	private static final Log logger = LogFactory.getLog(AuthorizationWebFilter.class);
+	private ReactiveAuthorizationManager<? super ServerWebExchange> authorizationManager;
 
-	public AuthorizationWebFilter(ReactiveAuthorizationManager<? super ServerWebExchange> accessDecisionManager) {
-		this.accessDecisionManager = accessDecisionManager;
+	public AuthorizationWebFilter(ReactiveAuthorizationManager<? super ServerWebExchange> authorizationManager) {
+		this.authorizationManager = authorizationManager;
 	}
 
 	@Override
 	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 		return ReactiveSecurityContextHolder.getContext()
 			.filter(c -> c.getAuthentication() != null)
 			.map(SecurityContext::getAuthentication)
-			.as(authentication -> this.accessDecisionManager.verify(authentication, exchange))
+			.as(authentication -> this.authorizationManager.verify(authentication, exchange))
+			.doOnSuccess(it -> {
+				if (logger.isDebugEnabled()) {
+					logger.debug("Authorization successful");
+				}
+			})
+			.doOnError(AccessDeniedException.class, e -> {
+				if (logger.isDebugEnabled()) {
+					logger.debug("Authorization failed: " + e.getMessage());
+				}
+			})
 			.switchIfEmpty(chain.filter(exchange));
 	}
 }

web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,11 +15,13 @@
  */
 package org.springframework.security.web.server.authorization;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcherEntry;
-import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.web.server.ServerWebExchange;
 
 import reactor.core.publisher.Flux;
@@ -30,9 +32,11 @@
 
 /**
  * @author Rob Winch
+ * @author Mathieu Ouellet
  * @since 5.0
  */
 public class DelegatingReactiveAuthorizationManager implements ReactiveAuthorizationManager<ServerWebExchange> {
+	private static final Log logger = LogFactory.getLog(DelegatingReactiveAuthorizationManager.class);
 	private final List<ServerWebExchangeMatcherEntry<ReactiveAuthorizationManager<AuthorizationContext>>> mappings;
 
 	private DelegatingReactiveAuthorizationManager(List<ServerWebExchangeMatcherEntry<ReactiveAuthorizationManager<AuthorizationContext>>> mappings) {
@@ -43,11 +47,17 @@ private DelegatingReactiveAuthorizationManager(List<ServerWebExchangeMatcherEntr
 	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, ServerWebExchange exchange) {
 		return Flux.fromIterable(mappings)
 			.concatMap(mapping -> mapping.getMatcher().matches(exchange)
-				.filter(ServerWebExchangeMatcher.MatchResult::isMatch)
-				.map(r -> r.getVariables())
-				.flatMap(variables -> mapping.getEntry()
-					.check(authentication, new AuthorizationContext(exchange, variables))
-				)
+				.filter(MatchResult::isMatch)
+				.map(MatchResult::getVariables)
+				.flatMap(variables -> {
+					if (logger.isDebugEnabled()) {
+						logger.debug("Checking authorization on '"
+							+ exchange.getRequest().getPath().pathWithinApplication()
+							+ "' using " + mapping.getEntry());
+					}
+					return mapping.getEntry()
+						.check(authentication, new AuthorizationContext(exchange, variables));
+				})
 			)
 			.next()
 			.defaultIfEmpty(new AuthorizationDecision(false));