SEC-2368: DebugFilter outputs headers and HTTP method

web/src/main/java/org/springframework/security/web/debug/DebugFilter.java

@@ -48,10 +48,11 @@ public final class DebugFilter implements Filter {
         HttpServletResponse response = (HttpServletResponse) srvltResponse;
 
         List<Filter> filters = getFilters(request);
-        logger.info("Request received for '" + UrlUtils.buildRequestUrl(request) + "':\n\n" +
+        logger.info("Request received for " + request.getMethod() + " '" + UrlUtils.buildRequestUrl(request) + "':\n\n" +
                 request + "\n\n" +
                 "servletPath:" + request.getServletPath() + "\n" +
-                "pathInfo:" + request.getPathInfo() + "\n\n" +
+                "pathInfo:" + request.getPathInfo() + "\n" +
+                "headers: \n" + formatHeaders(request) + "\n\n" +
                 formatFilters(filters));
 
         if (request.getAttribute(ALREADY_FILTERED_ATTR_NAME) == null) {
@@ -73,6 +74,25 @@ public final class DebugFilter implements Filter {
         }
     }
 
+    String formatHeaders(HttpServletRequest request) {
+        StringBuilder sb = new StringBuilder();
+        Enumeration<String> eHeaderNames = request.getHeaderNames();
+        while(eHeaderNames.hasMoreElements()) {
+            String headerName = eHeaderNames.nextElement();
+            sb.append(headerName);
+            sb.append(": ");
+            Enumeration<String> eHeaderValues = request.getHeaders(headerName);
+            while(eHeaderValues.hasMoreElements()) {
+                sb.append(eHeaderValues.nextElement());
+                if(eHeaderValues.hasMoreElements()) {
+                    sb.append(", ");
+                }
+            }
+            sb.append("\n");
+        }
+        return sb.toString();
+    }
+
     String formatFilters(List<Filter> filters) {
         StringBuilder sb = new StringBuilder();
         sb.append("Security filter chain: ");

web/src/test/java/org/springframework/security/web/debug/DebugFilterTest.java

@@ -1,5 +1,6 @@
 package org.springframework.security.web.debug;
 
+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Matchers.eq;
@@ -7,6 +8,8 @@ import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+import java.util.Collections;
+
 import javax.servlet.FilterChain;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
@@ -21,10 +24,8 @@ import org.mockito.Mock;
 import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
 import org.powermock.reflect.internal.WhiteboxImpl;
+import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.web.FilterChainProxy;
-import org.springframework.security.web.debug.DebugFilter;
-import org.springframework.security.web.debug.DebugRequestWrapper;
-import org.springframework.security.web.debug.Logger;
 
 /**
  *
@@ -36,6 +37,9 @@ import org.springframework.security.web.debug.Logger;
 public class DebugFilterTest {
     @Captor
     private ArgumentCaptor<HttpServletRequest> requestCaptor;
+    @Captor
+    private ArgumentCaptor<String> logCaptor;
+
     @Mock
     private HttpServletRequest request;
     @Mock
@@ -53,6 +57,7 @@ public class DebugFilterTest {
 
     @Before
     public void setUp() {
+        when(request.getHeaderNames()).thenReturn(Collections.enumeration(Collections.<String>emptyList()));
         when(request.getServletPath()).thenReturn("/login");
         filter = new DebugFilter(fcp);
         WhiteboxImpl.setInternalState(filter, Logger.class, logger);
@@ -92,4 +97,32 @@ public class DebugFilterTest {
 
         verify(fcp).doFilter(fireWalledRequest, response, filterChain);
     }
+
+    @Test
+    public void doFilterLogsProperly() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setMethod("GET");
+        request.setServletPath("/path");
+        request.setPathInfo("/");
+        request.addHeader("A", "A Value");
+        request.addHeader("A", "Another Value");
+        request.addHeader("B", "B Value");
+
+        filter.doFilter(request, response, filterChain);
+
+        verify(logger).info(logCaptor.capture());
+
+        assertThat(logCaptor.getValue()).isEqualTo("Request received for GET '/path/':\n" +
+                "\n" +
+                request + "\n" +
+                "\n" +
+                "servletPath:/path\n" +
+                "pathInfo:/\n" +
+                "headers: \n" +
+                "A: A Value, Another Value\n" +
+                "B: B Value\n" +
+                "\n" +
+                "\n" +
+                "Security filter chain: no match");
+    }
 }