Security best practices requires all Authentication related events to be logged in defined format and sometimes event should be handled in special way.
Spring security has its own Security Event log implementation and default repository (in memory repository) If you need to provide your own implementation you need to add custom configuration class.
The class should implement the generic ApplicationListener interface for specified event type. In my example I listen for all events (AbstractAuthenticationEvent type). If you need less, you can specify one of its subclasses only.
Here I only log the event, but you can implement your business logic as required. Event object has a timestamp, remote IP address, user login and event type:
import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.ApplicationListener; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.event.AbstractAuthenticationEvent; import org.springframework.security.core.Authentication; @Configuration public class AuditEventLogConfiguration implements ApplicationListener<AbstractAuthenticationEvent> { private final Logger log = LoggerFactory.getLogger(this.getClass()); @Override public void onApplicationEvent(AbstractAuthenticationEvent event) { //do whatever you need with your event log.info(event.toString()); } }
Did I help you?
I manage this blog and share my knowledge for free, sacrificing my time. If you appreciate it and find this information helpful, please consider making a donation in order to keep this page alive and improve quality
Thank You!
Thank you!! Very helpful!!!