Improve Security Logging With Mapped Diagnostic Context

What You'll Learn

How to automatically add a username to each Logback log statement. The username relates to the user principal (identity) making a request to the application. Your application will handle more than one request at a time — if you have more than one user! — so it is important to audit who is doing what.

Specifically, we will learn:

How to create a Mapped Diagnostic Context (MDC) Java Servlet Filter.
How to add a user principal name to the MDC
How to add the new filter to the Spring Security filter chain
How to automatically add the username of the authenticated principal to log statements

First, we need to create a Java servlet filter to intercept HTTP requests and populate the Mapped Diagnostic Context (MDC).
Create a class that implements the javax.servlet.Filter interface.

public class UserToMdcFilter implements Filter {

  @Override
  public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
      throws IOException, ServletException {

    try {
      chain.doFilter(request, response);
    } finally {
      MDC.remove("user");
    }
  }

  @Override
  public void destroy() {
    // do nothing
  }

  @Override
  public void init(final FilterConfig fc) throws ServletException {
    // do nothing

  }
}

Positive reference: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-authentication-securitycontext

Provided we configure the Filter to operate after Spring Security's authentication filter has run (see next section), we will have access to the populated security context.
The security context for the authenticated User associated with the given request (and hence thread) is accessible through the SecurityContextHolder.
Inside the SecurityContext is the Authentication object which holds the identity of the principal that has been authenticated.
We can leverage the Authentication object to retrieve the Principal object from which we can extract the User.
For example, inside the doFilter(...) method above:

if ((SecurityContextHolder.getContext() != null)
        && (SecurityContextHolder.getContext().getAuthentication() != null)
        && (SecurityContextHolder.getContext().getAuthentication().getPrincipal() instanceof User)) {

        final User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        MDC.put("user", user.getUsername());
}

This will add the username to the MDC using the key user iff:
- A SecurityContext exists, and;
- The Authentication principal exists, and;
- The principal has the type User — which is the standard principal in Spring Security.

## Add The New Filter To The Spring Security Filter Chain Duration: 5

Positive reference: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-authentication-unpwd

We must now add the filter to the Spring Security filter chain for it to take effect.
In your Spring Security configuration class where you configure your HttpSecurity object, add:

http.addFilterAfter(new UserToMdcFilter(), AnonymousAuthenticationFilter.class);

You can now add the username to every log statement automatically by including it in a PatternLayout within your logback.xml file.
For example, to add the username by default to every log statement you can include the pattern:
```
[%X{user:-system}]
```
Note, certain requests will not contain an authenticated principal e.g., if the request is being made by the service itself, or the user is anonymous, etc. The pattern above says, therefore, log the user we placed into the MDC (in the filter) and if none exist use the default string value of system.
A complete log pattern may then look like the following (please note, you do not need to follow this exact pattern, you only need to include the pattern %X{user:-system} into your own layouts):
```
%d{yyyy-MM-dd HH:mm:ss.SSS} %5p ${PID:- } [%X{req.method}][%X{req.requestURL}][%X{user:-system}] [%t] --- %-40.40logger{39} : %m%n%wex
```