Spring 安全性未在 ApplicationListener 中捕获登录失败
Spring Security not catching login failures in ApplicationListener
我正在使用 Spring Security 3.2.5.RELEASE,但我很难捕捉到失败的登录尝试。我目前有一个 ApplicationListener
配置如下:
@Component
public class MyApplicationListener implements ApplicationListener<AbstractAuthenticationEvent> {
private static Logger logger = LogManager.getLogger(MyApplicationListener);
@Override
public void onApplicationEvent(AbstractAuthenticationEvent abstractAuthenticationEvent) {
if (abstractAuthenticationEvent instanceof AbstractAuthenticationFailureEvent) {
logger.warn("Detected an invalid login");
} else if (abstractAuthenticationEvent instanceof AuthenticationSuccessEvent) {
logger.info("A user logged in successfully");
}
}
}
如果用户成功登录,我可以按预期看到成功消息。但是,如果用户提供了错误的密码等,则不会显示失败消息。
我更改了侦听器,因此它记录所有 ApplicationEvent
如下:
@Component
public class MyApplicationListener implements ApplicationListener<ApplicationEvent> {
private static Logger logger = LogManager.getLogger(MyApplicationListener);
@Override
public void onApplicationEvent(ApplicationEvent applicationEvent) {
logger.info("Got an event of type {}", applicationEvent.getClass());
}
}
但是,记录的唯一与安全相关的事件类型为 org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent
。登录失败不会触发任何事件。如果有任何指点,我将不胜感激。
也许有点晚了,但我遇到了同样的问题并以这种方式解决:
在您的 configureGlobal 方法中:
auth.authenticationEventPublisher(defaultAuthenticationEventPublisher());
不要忘记将 DefaultAuthenticationEventPublisher 声明为 Bean
@Bean
public DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher(){
return new DefaultAuthenticationEventPublisher();
}
更多信息在这里:
Why the event AbstractAuthenticationFailureEvent is never triggered in spring security?
我正在使用 Spring Security 3.2.5.RELEASE,但我很难捕捉到失败的登录尝试。我目前有一个 ApplicationListener
配置如下:
@Component
public class MyApplicationListener implements ApplicationListener<AbstractAuthenticationEvent> {
private static Logger logger = LogManager.getLogger(MyApplicationListener);
@Override
public void onApplicationEvent(AbstractAuthenticationEvent abstractAuthenticationEvent) {
if (abstractAuthenticationEvent instanceof AbstractAuthenticationFailureEvent) {
logger.warn("Detected an invalid login");
} else if (abstractAuthenticationEvent instanceof AuthenticationSuccessEvent) {
logger.info("A user logged in successfully");
}
}
}
如果用户成功登录,我可以按预期看到成功消息。但是,如果用户提供了错误的密码等,则不会显示失败消息。
我更改了侦听器,因此它记录所有 ApplicationEvent
如下:
@Component
public class MyApplicationListener implements ApplicationListener<ApplicationEvent> {
private static Logger logger = LogManager.getLogger(MyApplicationListener);
@Override
public void onApplicationEvent(ApplicationEvent applicationEvent) {
logger.info("Got an event of type {}", applicationEvent.getClass());
}
}
但是,记录的唯一与安全相关的事件类型为 org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent
。登录失败不会触发任何事件。如果有任何指点,我将不胜感激。
也许有点晚了,但我遇到了同样的问题并以这种方式解决:
在您的 configureGlobal 方法中:
auth.authenticationEventPublisher(defaultAuthenticationEventPublisher());
不要忘记将 DefaultAuthenticationEventPublisher 声明为 Bean
@Bean
public DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher(){
return new DefaultAuthenticationEventPublisher();
}
更多信息在这里: Why the event AbstractAuthenticationFailureEvent is never triggered in spring security?