Halaman utama Jelajahi Bantuan
Daftar Masuk
github
/
spring-security
cermin dari https://github.com/spring-projects/spring-security
2
0
Fork 0
Berkas Masalah 0 Wiki
Pohon: 901b386ca6
Ranting Tag
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
authorization
/
events.adoc

events.adoc 4.7 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 
  1. [[servlet-events]]
    2. 

  2. = Authorization Events
    3. 

  3. 

  4. For each authorization that is denied, an `AuthorizationDeniedEvent` is fired.
    5. 

  5. Also, it's possible to fire an `AuthorizationGrantedEvent` for authorizations that are granted.
    6. 

  6. 

  7. To listen for these events, you must first publish an `AuthorizationEventPublisher`.
    8. 

  8. 

  9. Spring Security's `SpringAuthorizationEventPublisher` will probably do fine.
    10. 

  10. It comes publishes authorization events using Spring's `ApplicationEventPublisher`:
    11. 

  11. 

  12. [tabs]
    13. 

  13. ======
    14. 

  14. Java::
    15. 

  15. +
    16. 

  16. [source,java,role="primary"]
    17. 

  17. ----
    18. 

  18. @Bean
    19. 

  19. public AuthorizationEventPublisher authorizationEventPublisher
    20. 

  20.         (ApplicationEventPublisher applicationEventPublisher) {
    21. 

  21.     return new SpringAuthorizationEventPublisher(applicationEventPublisher);
    22. 

  22. }
    23. 

  23. ----
    24. 

  24. 

  25. Kotlin::
    26. 

  26. +
    27. 

  27. [source,kotlin,role="secondary"]
    28. 

  28. ----
    29. 

  29. @Bean
    30. 

  30. fun authorizationEventPublisher
    31. 

  31.         (applicationEventPublisher: ApplicationEventPublisher?): AuthorizationEventPublisher {
    32. 

  32.     return SpringAuthorizationEventPublisher(applicationEventPublisher)
    33. 

  33. }
    34. 

  34. ----
    35. 

  35. ======
    36. 

  36. 

  37. Then, you can use Spring's `@EventListener` support:
    38. 

  38. 

  39. [tabs]
    40. 

  40. ======
    41. 

  41. Java::
    42. 

  42. +
    43. 

  43. [source,java,role="primary"]
    44. 

  44. ----
    45. 

  45. @Component
    46. 

  46. public class AuthenticationEvents {
    47. 

  47. 

  48.     @EventListener
    49. 

  49.     public void onFailure(AuthorizationDeniedEvent failure) {
    50. 

  50. 		// ...
    51. 

  51.     }
    52. 

  52. }
    53. 

  53. ----
    54. 

  54. 

  55. Kotlin::
    56. 

  56. +
    57. 

  57. [source,kotlin,role="secondary"]
    58. 

  58. ----
    59. 

  59. @Component
    60. 

  60. class AuthenticationEvents {
    61. 

  61. 

  62.     @EventListener
    63. 

  63.     fun onFailure(failure: AuthorizationDeniedEvent?) {
    64. 

  64.         // ...
    65. 

  65.     }
    66. 

  66. }
    67. 

  67. ----
    68. 

  68. ======
    69. 

  69. 

  70. [[authorization-granted-events]]
    71. 

  71. == Authorization Granted Events
    72. 

  72. 

  73. Because ``AuthorizationGrantedEvent``s have the potential to be quite noisy, they are not published by default.
    74. 

  74. 

  75. In fact, publishing these events will likely require some business logic on your part to ensure that your application is not inundated with noisy authorization events.
    76. 

  76. 

  77. You can create your own event publisher that filters success events.
    78. 

  78. For example, the following publisher only publishes authorization grants where `ROLE_ADMIN` was required:
    79. 

  79. 

  80. [tabs]
    81. 

  81. ======
    82. 

  82. Java::
    83. 

  83. +
    84. 

  84. [source,java,role="primary"]
    85. 

  85. ----
    86. 

  86. @Component
    87. 

  87. public class MyAuthorizationEventPublisher implements AuthorizationEventPublisher {
    88. 

  88.     private final ApplicationEventPublisher publisher;
    89. 

  89.     private final AuthorizationEventPublisher delegate;
    90. 

  90. 

  91.     public MyAuthorizationEventPublisher(ApplicationEventPublisher publisher) {
    92. 

  92.         this.publisher = publisher;
    93. 

  93.         this.delegate = new SpringAuthorizationEventPublisher(publisher);
    94. 

  94.     }
    95. 

  95. 

  96.     @Override
    97. 

  97.     public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication,
    98. 

  98.         T object, AuthorizationResult result) {
    99. 

  99.         if (result == null) {
    100. 

  100.             return;
    101. 

  101.         }
    102. 

  102.         if (!result.isGranted()) {
    103. 

  103.             this.delegate.publishAuthorizationEvent(authentication, object, result);
    104. 

  104.             return;
    105. 

  105.         }
    106. 

  106.         if (shouldThisEventBePublished(result)) {
    107. 

  107.             AuthorizationGrantedEvent granted = new AuthorizationGrantedEvent(
    108. 

  108.                 authentication, object, result);
    109. 

  109.             this.publisher.publishEvent(granted);
    110. 

  110.         }
    111. 

  111.     }
    112. 

  112. 

  113.     private boolean shouldThisEventBePublished(AuthorizationResult result) {
    114. 

  114.         if (result instanceof AuthorityAuthorizationDecision authorityAuthorizationDecision) {
    115. 

  115.             Collection<GrantedAuthority> authorities = authorityAuthorizationDecision.getAuthorities();
    116. 

  116.             for (GrantedAuthority authority : authorities) {
    117. 

  117.                 if ("ROLE_ADMIN".equals(authority.getAuthority())) {
    118. 

  118.                     return true;
    119. 

  119.                 }
    120. 

  120.             }
    121. 

  121.         }
    122. 

  122.         return false;
    123. 

  123.     }
    124. 

  124. }
    125. 

  125. ----
    126. 

  126. 

  127. Kotlin::
    128. 

  128. +
    129. 

  129. [source,kotlin,role="secondary"]
    130. 

  130. ----
    131. 

  131. @Component
    132. 

  132. class MyAuthorizationEventPublisher(val publisher: ApplicationEventPublisher,
    133. 

  133.     val delegate: SpringAuthorizationEventPublisher = SpringAuthorizationEventPublisher(publisher)):
    134. 

  134.     AuthorizationEventPublisher {
    135. 

  135. 

  136.     override fun <T : Any?> publishAuthorizationEvent(
    137. 

  137.         authentication: Supplier<Authentication>?,
    138. 

  138.         `object`: T,
    139. 

  139.         result: AuthorizationResult?
    140. 

  140.     ) {
    141. 

  141.         if (result == null) {
    142. 

  142.             return
    143. 

  143.         }
    144. 

  144.         if (!result.isGranted) {
    145. 

  145.             this.delegate.publishAuthorizationEvent(authentication, `object`, result)
    146. 

  146.             return
    147. 

  147.         }
    148. 

  148.         if (shouldThisEventBePublished(result)) {
    149. 

  149.             val granted = AuthorizationGrantedEvent(authentication, `object`, result)
    150. 

  150.             this.publisher.publishEvent(granted)
    151. 

  151.         }
    152. 

  152.     }
    153. 

  153. 

  154.     private fun shouldThisEventBePublished(result: AuthorizationResult): Boolean {
    155. 

  155.         if (decision !is AuthorityAuthorizationDecision) {
    156. 

  156.             return false
    157. 

  157.         }
    158. 

  158.         val authorities = decision.authorities
    159. 

  159.         for (authority in authorities) {
    160. 

  160.             if ("ROLE_ADMIN" == authority.authority) {
    161. 

  161.                 return true
    162. 

  162.             }
    163. 

  163.         }
    164. 

  164.         return false
    165. 

  165.     }
    166. 

  166. }
    167. 

  167. ----
    168. 

  168. ======
    169.