When authentication and authorization aren't behaving the way you'd like, the first step is turning on security-related debug output. This involves editing a Log4J configuration file.
There are two general settings in
log4j.xml that can affect logging:
- Threshold: Each appender can have a
Thresholdparam. "By setting the threshold value, only log messages matching the threshold setting or above will be logged."
- Root logger priority: "The most important logger you need to configure is the root logger. All loggers inherit their settings from the root logger."
- Make a backup copy of
log4j.xml. Remove any
Thresholdparam that occurs in all of the appenders (i.e.
- Staying in the same file, find the
rootlogger definition. Add or change the existing
FATAL. All loggers will inherit this level except where it is overridden (which is done in the next step).
- Staying in the same file, add the following loggers before the
rootelement. This will enable debug-level output in security-related classes.
Note: When you add
categoryelements, be sure to add them before the
rootelement. Otherwise, you will violate the DTD for
- Now open
<back-end>is one of
hibernate. Which one you open will depend on the type of security back-end you've configured in
web.xml. Add a property called
falseto the bean with id
daoAuthenticationProvider. Your modified bean should look like the bean below. Note that existing properties and
constructor-argselements for this bean should be left unmodified.
- Save the file and restart your servlet container or application server.
What to Look For
- When you request a page that is protected but you are not yet logged in, you should see an exception in the log which looks like this:
- When the username and/or password doesn't match what's in the back-end, you should see a log message which looks like this:
- When the username and password match, you should see a log message which looks like the following. After the
InteractiveAuthenticationSuccessEvent, one of the filters will show the roles fetched for the authenticated user. Compare these roles to the page-role mapping found in the