Spring Security
  1. Spring Security
  2. SEC-1826

Excessive (and misleading) logging in DelegatingMethodSecurityMetadataSource

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.1.0
    • Component/s: Core
    • Labels:
      None

      Description

      If you switch on global method security Spring Security adds a custom pointcut matcher and delegates to the DelegatingMethodSecurityMetadataSource. This code in that class logs every method in ebery bean in the context 9as far as I can tell) whether or not it is going to be intercepted:

                  if (logger.isDebugEnabled()) {
                      logger.debug("Adding security method [" + cacheKey + "] with attributes " + attributes);
                  }
      

      So 99.99% of these logs have attributes=[] (empty) which according to the matcher means it does not match.

      Could the log level be changed to TRACE and also the message changed to "Analyzing" or "Matching" instead of "Adding"?

        Activity

        Hide
        Luke Taylor added a comment -

        An empty list should be treated the same as null, so I've changed the code accordingly and it will now only log methods which have security attributes.

        Unfortunately, the way Spring initializes auto-proxying means that method information will be cached for beans which the advisor is not actually applied at all. Ideally we would be able to skip caching on initialization, when the pointcut is called to test whether the advisor should be applied to the bean, but I'm not sure how that could easily be done.

        Show
        Luke Taylor added a comment - An empty list should be treated the same as null, so I've changed the code accordingly and it will now only log methods which have security attributes. Unfortunately, the way Spring initializes auto-proxying means that method information will be cached for beans which the advisor is not actually applied at all. Ideally we would be able to skip caching on initialization, when the pointcut is called to test whether the advisor should be applied to the bean, but I'm not sure how that could easily be done.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Dave Syer
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: