2

I have implemented spring security oauth2 to protect different services.

Now I need to log client ip, client id, request service, request URL and Event type like "Authentication Failure", "Authorization failure" and so on.

I came up with following

public class Events implements ApplicationListener<ApplicationEvent>{
private static Logger log = LoggerFactory.getLogger(Events.class);


@Override
public void onApplicationEvent(ApplicationEvent appEvent) {


    if (appEvent instanceof AuthenticationSuccessEvent) {
        AuthenticationSuccessEvent event = (AuthenticationSuccessEvent) appEvent;

        long  timestamp = event.getTimestamp();


        User user = (User) event.getAuthentication().getPrincipal();

        System.out.println("client " + user.getUsername() + " has been authenticated successfully.");

        UsernamePasswordAuthenticationToken source = (UsernamePasswordAuthenticationToken) event.getSource();


        WebAuthenticationDetails details = (WebAuthenticationDetails) source.getDetails();

        System.out.println("remote ip is " + details.getRemoteAddress());


    }

    if (appEvent instanceof AuthorizationFailureEvent) {
        //TODO
        ((AuthorizationFailureEvent) appEvent).getAccessDeniedException();
    }

    if (appEvent instanceof AbstractAuthenticationFailureEvent) {

        System.out.println("Sorry, authenticated for client " +  appEvent.getSource().toString() + " failure.");
    }
}

}

Because the request is asynchronous, I don't know how to get request from context. If I can get HttpServletRequest request, I can get almost every thing.

Lex Xiao
  • 31
  • 3
  • The event has the `Authentication` which in turn contains the details, which for a web are [`WebAuthenticationDetails`](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/authentication/WebAuthenticationDetails.html). This mechanism is pluggable and you could create your own populator for the details to include what you need it to include. – M. Deinum Sep 22 '15 at 07:28
  • Hi Deinum, it just includes getRemoteAddress method what I want. Not all of required fields. – Lex Xiao Sep 23 '15 at 06:06
  • As mentioned you can create your own details and have those injected to include all the properties you want. Create a class that implements `AuthenticationDetailsSource` and implement the `buildDetails` method. – M. Deinum Sep 23 '15 at 07:02
  • Thanks. I encounter new issue that it will trigger events when it is authenticated successfully or failed. But the event won't fire when it is authorized. Could you know how to resolve it? – Lex Xiao Sep 23 '15 at 12:10

1 Answers1

0

Refer to this. I have add RequestContextFilter in web.xml.

<filter>

  <filter-name>requestContextFilter</filter-name>

  <filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>

    <init-param>

      <param-name>threadContextInheritable</param-name>

      <param-value>true</param-value>

   </init-param>

</filter>

<filter-mapping>

  <filter-name>requestContextFilter</filter-name>

  <url-pattern>/*</url-pattern>

</filter-mapping>

It works well.

Community
  • 1
  • 1
Lex Xiao
  • 31
  • 3