Spring Boot + Spring Security 授权成功审计 [英] Spring Boot + Spring Security authorization success audit

问题描述

有没有人设法让带有 Spring Security 的 Spring Boot 处理 AuthorizedEvent(即审计日志)?

Has anyone managed to get Spring Boot w/ Spring Security to handle AuthorizedEvent's (i.e. for audit log)?

我已经实现了以下应用程序事件监听器:

I have implemented the following application event listener:

@Component
public class AuthorizationSuccessAudit implements ApplicationListener<AuthorizedEvent> {

    private static Logger auditLogger = LoggerFactory.getLogger("audit");

    @Override
    public void onApplicationEvent(AuthorizedEvent event) {
        auditLogger.info("Authorization granted to user: {} - {}", event.getAuthentication().getName(), event.getConfigAttributes());
    }

}

并使用@PreAuthorize 注释一个测试 MVC 端点.我期待春季安全补助金会出现在日志中.虽然这适用于我使用的所有其他事件(AuthenticationSuccessEvent、AuthenticationFailureEvent、AbstractAuthenticationFailureEvent)，但不适用于 AuthorizedEvent.

and have a test MVC endpoint annotated with @PreAuthorize. I was expecting that the spring security grants would show up on the log. While this works for every other event I used (AuthenticationSuccessEvent, AuthenticationFailureEvent, AbstractAuthenticationFailureEvent) it does not for the AuthorizedEvent.

我尝试浏览 Spring Boot 源代码，但似乎没有在 AuthorizationAuditListener.java，这可能是一个错误还是我以错误的方式攻击它?

I tried browsing the Spring Boot source and it seems this event is not handled in AuthorizationAuditListener.java, is this possibly a bug or am I hacking at it the wrong way?

推荐答案

根据 spring boot 文档，使用 Spring Boot Actuator(Spring Boot 的审计框架)，并提供您自己的 AbstractAuthorizationAuditListener 实现.

As per spring boot documentation, Use Spring Boot Actuator (audit framework for Spring Boot), and provide your own implementations of AbstractAuthorizationAuditListener.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
    <version>1.3.0.RELEASE</version>
</dependency>

还有类似的东西..

class TestAuthorizationAuditListener extends AbstractAuthorizationAuditListener { 

  @Override 
  public void setApplicationEventPublisher(ApplicationEventPublisher publisher) { 
  } 

  @Override 
  public void onApplicationEvent(AbstractAuthorizationEvent event) { 
  } 

 } 

这篇关于Spring Boot + Spring Security 授权成功审计的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！