Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -r4db2093b71e0412505523eeec2825c1b0474f66d -rbfd5c97945c7bafc8a2f22202fbdb93652c1bed2
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 4db2093b71e0412505523eeec2825c1b0474f66d)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision bfd5c97945c7bafc8a2f22202fbdb93652c1bed2)
@@ -34,6 +34,7 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.math.NumberUtils;
+import org.apache.log4j.Logger;
 import org.lamsfoundation.lams.logevent.LogEvent;
 import org.lamsfoundation.lams.logevent.service.ILogEventService;
 import org.lamsfoundation.lams.usermanagement.User;
@@ -68,6 +69,8 @@
     private static ILogEventService logEventService = null;
     private static IUserManagementService userManagementService = null;
 
+    private static Logger log = Logger.getLogger(SsoHandler.class);
+
     private static final String REDIRECT_KEY = "io.undertow.servlet.form.auth.redirect.location";
     static final String KEEP_SESSION_ID_KEY = "lams.keepSessionId";
 
@@ -100,6 +103,9 @@
 
 		// recreate session here in case it was invalidated in login.jsp by sysadmin's LoginAs
 		HttpSession session = request.getSession();
+		UserDTO loggedInUserDTO = (UserDTO) session.getAttribute(AttributeNames.USER);
+		String loggedInLogin = loggedInUserDTO == null ? "" : loggedInUserDTO.getLogin() + " ";
+
 		/*
 		 * Fetch UserDTO before completing request, so putting it later in session is done ASAP
 		 * Response is sent in another thread and if UserDTO is not present in session when browser completes
@@ -110,19 +116,36 @@
 		if (StringUtils.isBlank(login)) {
 		    SsoHandler.clearLoginSessionAttributes(session);
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
+
+		    if (log.isDebugEnabled()) {
+			log.debug("Redirecting user " + loggedInLogin
+				+ "back to login page as he did not provide user name in login form.");
+		    }
 		    return;
 		}
 		User user = SsoHandler.getUserManagementService(session.getServletContext()).getUserByLogin(login);
 		if (user == null) {
 		    SsoHandler.clearLoginSessionAttributes(session);
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
+
+		    if (log.isDebugEnabled()) {
+			log.debug("Redirecting user " + loggedInLogin + "back to login page as provided login \""
+				+ login + "\" does not exist in system.");
+		    }
+
 		    return;
 		}
 		UserDTO userDTO = user.getUserDTO();
 		String password = request.getParameter("j_password");
 		if (user.getLockOutTime() != null && user.getLockOutTime().getTime() > System.currentTimeMillis()) {
 		    SsoHandler.clearLoginSessionAttributes(session);
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?lockedOut=true");
+
+		    if (log.isDebugEnabled()) {
+			log.debug("Redirecting user " + loggedInLogin + "back to login page as provided login \""
+				+ login + "\" is locked out.");
+		    }
+
 		    return;
 		}
 
@@ -155,6 +178,12 @@
 			redirectURL = "/lams/loginTwoFactorAuth.jsp"
 				+ ((verificationCodeStr == null) ? "" : "?failed=true");
 			response.sendRedirect(redirectURL);
+
+			if (log.isDebugEnabled()) {
+			    log.debug("Redirecting user " + loggedInLogin
+				    + "back to 2FA page as token for provided login \"" + login + "\" is incorrect.");
+			}
+
 			return;
 		    }
 		}
@@ -163,6 +192,11 @@
 		UserDTO loggedInUser = session == null ? null : (UserDTO) session.getAttribute(AttributeNames.USER);
 		if (isPasswordToken && loggedInUser != null && loggedInUser.getLogin().equals(login)) {
 		    response.sendRedirect(redirectURL);
+
+		    if (log.isDebugEnabled()) {
+			log.debug("Redirecting user " + loggedInLogin + "to " + redirectURL + "as provided login \""
+				+ login + "\" is already logged in.");
+		    }
 		    return;
 		}
 
@@ -175,6 +209,9 @@
 
 		String oldSessionID = session.getId();
 
+		if (log.isDebugEnabled()) {
+		    log.debug("Authenticating user " + loggedInLogin + "with login \"" + login + "\"");
+		}
 		// do the logging in UniversalLoginModule or cache
 		handler.handleRequest(exchange);
 
@@ -202,6 +239,12 @@
 		    failedAttempts = failedAttempts == null ? 1 : Math.min(failedAttempts + 1, failedAttemptsConfig);
 		    user.setFailedAttempts(failedAttempts);
 
+		    if (log.isDebugEnabled()) {
+			if (log.isDebugEnabled()) {
+			    log.debug("User " + loggedInLogin + "with login \"" + login + "\" failed to authenticate.");
+			}
+		    }
+
 		    if (failedAttempts >= failedAttemptsConfig) {
 			Integer lockOutTimeConfig = Configuration.getAsInt(ConfigurationKeys.LOCK_OUT_TIME);
 			Long lockOutTimeMillis = lockOutTimeConfig * 60L * 1000;
@@ -214,6 +257,12 @@
 				.append(failedAttempts).append(" failed attempts.").toString();
 			SsoHandler.getLogEventService(session.getServletContext()).logEvent(
 				LogEvent.TYPE_ACCOUNT_LOCKED, user.getUserId(), user.getUserId(), null, null, message);
+
+			if (log.isDebugEnabled()) {
+			    if (log.isDebugEnabled()) {
+				log.debug(message);
+			    }
+			}
 		    }
 
 		    SsoHandler.getUserManagementService(session.getServletContext()).save(user);
@@ -308,6 +357,10 @@
 		.append(") logged in from IP ").append(clientIP).toString();
 	SsoHandler.getLogEventService(SessionManager.getServletContext()).logEvent(LogEvent.TYPE_LOGIN,
 		user.getUserID(), user.getUserID(), null, null, message);
+
+	if (log.isDebugEnabled()) {
+	    log.debug(message);
+	}
     }
 
     private static void clearLoginSessionAttributes(HttpSession session) {
@@ -317,12 +370,12 @@
 	session.removeAttribute("integratedLogoutURL");
     }
 
-    private static void logLogout(UserDTO user) {
-	String message = new StringBuilder("User ").append(user.getLogin()).append(" (").append(user.getUserID())
-		.append(") got logged out from another browser").toString();
-	SsoHandler.getLogEventService(SessionManager.getServletContext()).logEvent(LogEvent.TYPE_LOGOUT,
-		user.getUserID(), user.getUserID(), null, null, message);
-    }
+//    private static void logLogout(UserDTO user) {
+//	String message = new StringBuilder("User ").append(user.getLogin()).append(" (").append(user.getUserID())
+//		.append(") got logged out from another browser").toString();
+//	SsoHandler.getLogEventService(SessionManager.getServletContext()).logEvent(LogEvent.TYPE_LOGOUT,
+//		user.getUserID(), user.getUserID(), null, null, message);
+//    }
 
     private static IUserManagementService getUserManagementService(ServletContext context) {
 	if (SsoHandler.userManagementService == null) {