Add logging for protocol endpoint filters

Issue spring-projectsgh-159

Author: Steve Riesenberg

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcClientRegistrationEndpointFilter.java

@@ -22,6 +22,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -72,6 +76,7 @@ public final class OidcClientRegistrationEndpointFilter extends OncePerRequestFi
 	 */
 	private static final String DEFAULT_OIDC_CLIENT_REGISTRATION_ENDPOINT_URI = "/connect/register";
 
+	private static final Log logger = LogFactory.getLog(OidcClientRegistrationEndpointFilter.class);
 	private final AuthenticationManager authenticationManager;
 	private final RequestMatcher clientRegistrationEndpointMatcher;
 	private final HttpMessageConverter<OidcClientRegistration> clientRegistrationHttpMessageConverter =
@@ -202,6 +207,7 @@ private void sendClientRegistrationResponse(HttpServletRequest request, HttpServ
 	private void sendErrorResponse(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException authenticationException) throws IOException {
 		OAuth2Error error = ((OAuth2AuthenticationException) authenticationException).getError();
+		logger.trace(LogMessage.format("Client registration request failed: %s", error), authenticationException);
 		HttpStatus httpStatus = HttpStatus.BAD_REQUEST;
 		if (OAuth2ErrorCodes.INVALID_TOKEN.equals(error.getErrorCode())) {
 			httpStatus = HttpStatus.UNAUTHORIZED;

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcUserInfoEndpointFilter.java

@@ -22,6 +22,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -65,6 +69,7 @@ public final class OidcUserInfoEndpointFilter extends OncePerRequestFilter {
 	 */
 	private static final String DEFAULT_OIDC_USER_INFO_ENDPOINT_URI = "/userinfo";
 
+	private static final Log logger = LogFactory.getLog(OidcUserInfoEndpointFilter.class);
 	private final AuthenticationManager authenticationManager;
 	private final RequestMatcher userInfoEndpointMatcher;
 	private final HttpMessageConverter<OidcUserInfo> userInfoHttpMessageConverter =
@@ -180,6 +185,7 @@ private void sendUserInfoResponse(HttpServletRequest request, HttpServletRespons
 	private void sendErrorResponse(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException authenticationException) throws IOException {
 		OAuth2Error error = ((OAuth2AuthenticationException) authenticationException).getError();
+		logger.trace(LogMessage.format("User info request failed: %s", error), authenticationException);
 		HttpStatus httpStatus = HttpStatus.BAD_REQUEST;
 		if (error.getErrorCode().equals(OAuth2ErrorCodes.INVALID_TOKEN)) {
 			httpStatus = HttpStatus.UNAUTHORIZED;

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java

@@ -28,6 +28,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -90,6 +94,7 @@ public final class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilte
 	 */
 	private static final String DEFAULT_AUTHORIZATION_ENDPOINT_URI = "/oauth2/authorize";
 
+	private static final Log logger = LogFactory.getLog(OAuth2AuthorizationEndpointFilter.class);
 	private final AuthenticationManager authenticationManager;
 	private final RequestMatcher authorizationEndpointMatcher;
 	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@@ -173,6 +178,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 			}
 
 			if (authenticationResult instanceof OAuth2AuthorizationConsentAuthenticationToken) {
+				logger.debug("Authorization consent is required");
 				sendAuthorizationConsent(request, response,
 						(OAuth2AuthorizationCodeRequestAuthenticationToken) authentication,
 						(OAuth2AuthorizationConsentAuthenticationToken) authenticationResult);
@@ -260,6 +266,7 @@ private void sendAuthorizationConsent(HttpServletRequest request, HttpServletRes
 					.toUriString();
 			this.redirectStrategy.sendRedirect(request, response, redirectUri);
 		} else {
+			logger.trace("Displaying generated consent screen");
 			DefaultConsentPage.displayConsent(request, response, clientId, principal, requestedScopes, authorizedScopes, state);
 		}
 	}
@@ -307,6 +314,8 @@ private void sendErrorResponse(HttpServletRequest request, HttpServletResponse r
 		OAuth2AuthorizationCodeRequestAuthenticationException authorizationCodeRequestAuthenticationException =
 				(OAuth2AuthorizationCodeRequestAuthenticationException) exception;
 		OAuth2Error error = authorizationCodeRequestAuthenticationException.getError();
+		logger.trace(LogMessage.format("Authorization request failed: %s", error),
+				authorizationCodeRequestAuthenticationException);
 		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
 				authorizationCodeRequestAuthenticationException.getAuthorizationCodeRequestAuthentication();
 
@@ -316,6 +325,8 @@ private void sendErrorResponse(HttpServletRequest request, HttpServletResponse r
 			return;
 		}
 
+		logger.trace("Redirecting to client with error");
+
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder
 				.fromUriString(authorizationCodeRequestAuthentication.getRedirectUri())
 				.queryParam(OAuth2ParameterNames.ERROR, error.getErrorCode());

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java

@@ -23,6 +23,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpResponse;
@@ -72,6 +76,7 @@
  * @see <a target="_blank" href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1">Section 3.2.1 Token Endpoint Client Authentication</a>
  */
 public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter {
+	private static final Log logger = LogFactory.getLog(OAuth2ClientAuthenticationFilter.class);
 	private final AuthenticationManager authenticationManager;
 	private final RequestMatcher requestMatcher;
 	private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter = new OAuth2ErrorHttpMessageConverter();
@@ -181,7 +186,9 @@ private void onAuthenticationFailure(HttpServletRequest request, HttpServletResp
 		// include the "WWW-Authenticate" response header field
 		// matching the authentication scheme used by the client.
 
-		OAuth2Error error = ((OAuth2AuthenticationException) exception).getError();
+		OAuth2AuthenticationException authenticationException = (OAuth2AuthenticationException) exception;
+		OAuth2Error error = authenticationException.getError();
+		logger.trace(LogMessage.format("Invalid client authentication: %s", error), authenticationException);
 		ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
 		if (OAuth2ErrorCodes.INVALID_CLIENT.equals(error.getErrorCode())) {
 			httpResponse.setStatusCode(HttpStatus.UNAUTHORIZED);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java

@@ -25,6 +25,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -99,6 +103,7 @@ public final class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
 	private static final String DEFAULT_TOKEN_ENDPOINT_URI = "/oauth2/token";
 
 	private static final String DEFAULT_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
+	private static final Log logger = LogFactory.getLog(OAuth2TokenEndpointFilter.class);
 	private final AuthenticationManager authenticationManager;
 	private final RequestMatcher tokenEndpointMatcher;
 	private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter =
@@ -245,7 +250,9 @@ private void sendAccessTokenResponse(HttpServletRequest request, HttpServletResp
 	private void sendErrorResponse(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException exception) throws IOException {
 
-		OAuth2Error error = ((OAuth2AuthenticationException) exception).getError();
+		OAuth2AuthenticationException authenticationException = (OAuth2AuthenticationException) exception;
+		OAuth2Error error = authenticationException.getError();
+		logger.trace(LogMessage.format("Token request failed: %s", error), authenticationException);
 		ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
 		httpResponse.setStatusCode(HttpStatus.BAD_REQUEST);
 		this.errorHttpResponseConverter.write(error, null, httpResponse);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java

@@ -22,6 +22,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -63,6 +67,7 @@ public final class OAuth2TokenIntrospectionEndpointFilter extends OncePerRequest
 	 */
 	private static final String DEFAULT_TOKEN_INTROSPECTION_ENDPOINT_URI = "/oauth2/introspect";
 
+	private static final Log logger = LogFactory.getLog(OAuth2TokenIntrospectionEndpointFilter.class);
 	private final AuthenticationManager authenticationManager;
 	private final RequestMatcher tokenIntrospectionEndpointMatcher;
 	private AuthenticationConverter authenticationConverter;
@@ -165,6 +170,7 @@ private void sendIntrospectionResponse(HttpServletRequest request, HttpServletRe
 	private void sendErrorResponse(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException exception) throws IOException {
 		OAuth2Error error = ((OAuth2AuthenticationException) exception).getError();
+		logger.trace(LogMessage.format("Token introspection request failed: %s", error), exception);
 		ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
 		httpResponse.setStatusCode(HttpStatus.BAD_REQUEST);
 		this.errorHttpResponseConverter.write(error, null, httpResponse);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenRevocationEndpointFilter.java

@@ -22,6 +22,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -61,6 +65,7 @@ public final class OAuth2TokenRevocationEndpointFilter extends OncePerRequestFil
 	 */
 	private static final String DEFAULT_TOKEN_REVOCATION_ENDPOINT_URI = "/oauth2/revoke";
 
+	private static final Log logger = LogFactory.getLog(OAuth2TokenRevocationEndpointFilter.class);
 	private final AuthenticationManager authenticationManager;
 	private final RequestMatcher tokenRevocationEndpointMatcher;
 	private AuthenticationConverter authenticationConverter;
@@ -156,6 +161,7 @@ private void sendRevocationSuccessResponse(HttpServletRequest request, HttpServl
 	private void sendErrorResponse(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException exception) throws IOException {
 		OAuth2Error error = ((OAuth2AuthenticationException) exception).getError();
+		logger.trace(LogMessage.format("Token revocation request failed: %s", error), exception);
 		ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
 		httpResponse.setStatusCode(HttpStatus.BAD_REQUEST);
 		this.errorHttpResponseConverter.write(error, null, httpResponse);