此版本仍在开发中，尚不被认为是稳定的。对于最新的稳定版本，请使用 Spring Security 6.5.3！spring-doc.cadn.net.cn

授权事件

对于每个被拒绝的授权，一个AuthorizationDeniedEvent被解雇了。此外，还可以触发AuthorizationGrantedEvent用于授予的授权。spring-doc.cadn.net.cn

要监听这些事件，您必须先发布AuthorizationEventPublisher.spring-doc.cadn.net.cn

Spring Security 的SpringAuthorizationEventPublisher可能会做得很好。它使用 Spring 的ApplicationEventPublisher:spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Bean
public AuthorizationEventPublisher authorizationEventPublisher
        (ApplicationEventPublisher applicationEventPublisher) {
    return new SpringAuthorizationEventPublisher(applicationEventPublisher);
}

@Bean
fun authorizationEventPublisher
        (applicationEventPublisher: ApplicationEventPublisher?): AuthorizationEventPublisher {
    return SpringAuthorizationEventPublisher(applicationEventPublisher)
}

然后，您可以使用 Spring 的@EventListener支持：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Component
public class AuthenticationEvents {

    @EventListener
    public void onFailure(AuthorizationDeniedEvent failure) {
		// ...
    }
}

@Component
class AuthenticationEvents {

    @EventListener
    fun onFailure(failure: AuthorizationDeniedEvent?) {
        // ...
    }
}

授权授予事件

因为AuthorizationGrantedEvent可能会很吵，默认情况下不会发布。spring-doc.cadn.net.cn

事实上，发布这些事件可能需要一些业务逻辑，以确保您的应用程序不会被嘈杂的授权事件淹没。spring-doc.cadn.net.cn

您可以提供自己的谓词来筛选成功事件。例如，以下发布者仅发布授权授予，其中ROLE_ADMIN是必需的：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Bean
AuthorizationEventPublisher authorizationEventPublisher() {
    SpringAuthorizationEventPublisher eventPublisher = new SpringAuthorizationEventPublisher();
    eventPublisher.setShouldPublishEvent((result) -> {
        if (!result.isGranted()) {
            return true;
        }
        if (result instanceof AuthorityAuthorizationDecision decision) {
            Collection<GrantedAuthority> authorities = decision.getAuthorities();
            return AuthorityUtils.authorityListToSet(authorities).contains("ROLE_ADMIN");
        }
        return false;
    });
    return eventPublisher;
}

@Bean
fun authorizationEventPublisher(): AuthorizationEventPublisher {
    val eventPublisher = SpringAuthorizationEventPublisher()
    eventPublisher.setShouldPublishEvent { (result) ->
        if (!result.isGranted()) {
            return true
        }
        if (decision is AuthorityAuthorizationDecision) {
            val authorities = decision.getAuthorities()
            return AuthorityUtils.authorityListToSet(authorities).contains("ROLE_ADMIN")
        }
        return false
    }
    return eventPublisher
}