我正在使用Spring Security 3.2.5.RELEASE并且无法捕获失败的登录尝试。我目前的ApplicationListener配置如下:
@Component
public class MyApplicationListener implements ApplicationListener<AbstractAuthenticationEvent> {
private static Logger logger = LogManager.getLogger(MyApplicationListener);
@Override
public void onApplicationEvent(AbstractAuthenticationEvent abstractAuthenticationEvent) {
if (abstractAuthenticationEvent instanceof AbstractAuthenticationFailureEvent) {
logger.warn("Detected an invalid login");
} else if (abstractAuthenticationEvent instanceof AuthenticationSuccessEvent) {
logger.info("A user logged in successfully");
}
}
}
如果用户成功登录,我可以按预期看到成功消息。但是,如果用户提供了错误的密码等,则失败消息永远不会显示。
我更改了监听器,因此它记录了所有ApplicationEvent,如下所示:
@Component
public class MyApplicationListener implements ApplicationListener<ApplicationEvent> {
private static Logger logger = LogManager.getLogger(MyApplicationListener);
@Override
public void onApplicationEvent(ApplicationEvent applicationEvent) {
logger.info("Got an event of type {}", applicationEvent.getClass());
}
}
但是,记录的唯一与安全相关的事件属于org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent类型。登录失败不会触发任何事件。我很感激任何指示,谢谢。
答案 0 :(得分:4)
也许有点晚了,但我遇到了同样的问题并以这种方式解决:
在configureGlobal方法中:
auth.authenticationEventPublisher(defaultAuthenticationEventPublisher());
别忘了将DefaultAuthenticationEventPublisher声明为Bean
@Bean
public DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher(){
return new DefaultAuthenticationEventPublisher();
}
更多信息: Why the event AbstractAuthenticationFailureEvent is never triggered in spring security?