Spring Security SecurityContextHolderAwareRequestWrapper does not handle JwtAuthenticationToken well

Describe the bug When using the AbstractRequestLoggingFilter it calls request.getRemoteUser() to fetch the username of the current request. In https://github.com/spring-projects/spring-security/blob/f614a8230c84a505597de0bd6380e5e2fea117ea/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java#L102

This class fetches the Authentication object (JwtAuthenticationToken) and eventually calls auth.getPrincipal().toString(). The JwtAuthenticationToken toString() method is not implemented so this logs out an object reference.

I am not sure of the cleanest approach here to log out the user properly. Since the Jwt has no implementation of toString() one could be added to return the subject. Alternatively, some method of calling getName() on the JwtAuthenticationToken would return the subject too.

To Reproduce Use AbstractRequestLoggingFilter on Jwt bearer tokens

Expected behavior The user field is populated with the token subject

Comment From: jzheaux

Hi, @quom, thanks for the report. I'd be happy to look into this.

This class fetches the Authentication object (JwtAuthenticationToken) and eventually calls auth.getPrincipal().toString().

This may be taken care of in 5.5, which introduces a call to Authentication#getName in the method you linked to.

Can you try on the latest and see if that addresses your issue? If not, please submit a sample application using the latest Spring Security milestone so we can take a closer look.

Comment From: quom

oh, thank you for getting back quickly. It does appear that this solves the problem (although I haven't tested it yet). I will reopen this is if the issue persists.