Spring Security OAuth2事件日志

时间:2014-01-29 14:11:52

标签: spring-security oauth-2.0

我们需要在我们的应用程序中包含OAuth2。为此,我们选择了春季安全作为一种方法。我检查了Spraklr2& Tonr2示例项目来自spring security projects页面。它工作正常。

我们的新要求是,作为outh2提供商,我们必须保存每个请求日志(来自资源所有者的请求)。我们必须保存客户端ID,资源所有者用户名,请求的URL(资源服务器上的资源),授权等..

我用Google搜索了一段时间,但没有发现任何线索。

有人可以帮助我实现这个想法..

提前致谢

3 个答案:

答案 0 :(得分:0)

如果您要将所有请求记录到/ oauth / authorize和/ oauth / token,则可以通过实现自己的端点来实现,这些端点将分别委托对AuthorizationEndpoint和TokenEndpoint的调用。

你必须在XML文件中配置它,当然......

答案 1 :(得分:0)

如果你没有找到答案,下面是我用来拦截请求的方法..

 <http  path-type="regex" 
    create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager" 
    use-expressions="true"     
    xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false" />
    <custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilterSecurityInterceptor" />
    <intercept-url pattern="/soap/*" access="isAnonymous()" method="GET" />
    <intercept-url pattern="/advisor/[0-9a-zA-Z_]/all/clients/[0-9]/[0-9]" access="isFullyAuthenticated()"/>
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
    <expression-handler ref="oauthWebExpressionHandler" />
</http>


<bean id="myFilterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="affirmativeBasedAccessDecisionManager"/>
    <property name="securityMetadataSource" ref="myCustomBean"/>
</bean>

<bean id="affirmativeBasedAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <constructor-arg>
        <list>
            <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
            <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </list>
    </constructor-arg>
</bean>

<bean id="myCustomBean" class="MyCustomClass">
    <constructor-arg>
        <util:map />
    </constructor-arg>
</bean>

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
  <authentication-provider>
    <jdbc-user-service data-source-ref="dataSource"
      users-by-username-query=
        "select username,password, enabled from oauth_users where username=?"
      authorities-by-username-query=
        "select username, role from oauth_user_roles where username =?  " />
  </authentication-provider>
</authentication-manager>

<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="realm" />
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
  <constructor-arg>
    <list>
      <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
      <bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
    </list>
  </constructor-arg>
</bean>

    <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<oauth:web-expression-handler id="oauthWebExpressionHandler" />

public class MyCustomClass扩展DefaultFilterInvocationSecurityMetadataSource {

public APILibSecurityMetadataSource(
        LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap) { 
    super(requestMap);
}

@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
System.out.println(" My code in MyCustomClass Interceptor");    
}

}

答案 2 :(得分:0)

当使用Spring Oauth对用户进行身份验证时,它会向AuthenticationEventPublisher发布一个事件。您可以创建一个实现AuthenticationEventPublisher的组件,如下所示:

@Component
public class AuditEvent implements AuthenticationEventPublisher{
    @Override
    public void publishAuthenticationSuccess(Authentication authentication) {
        if(authentication instanceof UsernamePasswordAuthenticationToken) {
            log(authentication.getName(), "Authentication successful");
        }
    }

    @Override
    public void publishAuthenticationFailure(AuthenticationException exception, Authentication authentication) {
        log(authentication.getName(),"Authentication Failure:");
    }
}

并检查身份验证是否为UsernamePasswordAuthenticationToken类型。这将为您提供登录事件,您可以根据需要进行记录。