This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.3!spring-doc.cn

Authorization Events

For each authorization that is denied, an AuthorizationDeniedEvent is fired. Also, it’s possible to fire an AuthorizationGrantedEvent for authorizations that are granted.spring-doc.cn

To listen for these events, you must first publish an AuthorizationEventPublisher.spring-doc.cn

Spring Security’s SpringAuthorizationEventPublisher will probably do fine. It comes publishes authorization events using Spring’s ApplicationEventPublisher:spring-doc.cn

Javaspring-doc.cn
Kotlinspring-doc.cn

@Bean
public AuthorizationEventPublisher authorizationEventPublisher
        (ApplicationEventPublisher applicationEventPublisher) {
    return new SpringAuthorizationEventPublisher(applicationEventPublisher);
}

@Bean
fun authorizationEventPublisher
        (applicationEventPublisher: ApplicationEventPublisher?): AuthorizationEventPublisher {
    return SpringAuthorizationEventPublisher(applicationEventPublisher)
}

Then, you can use Spring’s @EventListener support:spring-doc.cn

Javaspring-doc.cn
Kotlinspring-doc.cn

@Component
public class AuthenticationEvents {

    @EventListener
    public void onFailure(AuthorizationDeniedEvent failure) {
		// ...
    }
}

@Component
class AuthenticationEvents {

    @EventListener
    fun onFailure(failure: AuthorizationDeniedEvent?) {
        // ...
    }
}

Authorization Granted Events

Because AuthorizationGrantedEvents have the potential to be quite noisy, they are not published by default.spring-doc.cn

In fact, publishing these events will likely require some business logic on your part to ensure that your application is not inundated with noisy authorization events.spring-doc.cn

You can provide your own predicate that filters success events. For example, the following publisher only publishes authorization grants where ROLE_ADMIN was required:spring-doc.cn

Javaspring-doc.cn
Kotlinspring-doc.cn

@Bean
AuthorizationEventPublisher authorizationEventPublisher() {
    SpringAuthorizationEventPublisher eventPublisher = new SpringAuthorizationEventPublisher();
    eventPublisher.setShouldPublishEvent((result) -> {
        if (!result.isGranted()) {
            return true;
        }
        if (result instanceof AuthorityAuthorizationDecision decision) {
            Collection<GrantedAuthority> authorities = decision.getAuthorities();
            return AuthorityUtils.authorityListToSet(authorities).contains("ROLE_ADMIN");
        }
        return false;
    });
    return eventPublisher;
}

@Bean
fun authorizationEventPublisher(): AuthorizationEventPublisher {
    val eventPublisher = SpringAuthorizationEventPublisher()
    eventPublisher.setShouldPublishEvent { (result) ->
        if (!result.isGranted()) {
            return true
        }
        if (decision is AuthorityAuthorizationDecision) {
            val authorities = decision.getAuthorities()
            return AuthorityUtils.authorityListToSet(authorities).contains("ROLE_ADMIN")
        }
        return false
    }
    return eventPublisher
}