Announcement Announcement Module
Collapse
No announcement yet.
Authentication (un)successful events Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication (un)successful events

    Hi!

    I want to keep a log of all successful (or not) authentications. I am using Spring Security 3.1.1 and Digest Authentication (org.springframework.security.web.authentication.www.DigestAuthenticationFilter and org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint). To catch authentication successful (or not) events I have written my own implementations:
    Code:
    public class AuthenticationSuccessfulEvent implements ApplicationListener<AuthenticationSuccessEvent> {
    
    	@Autowired
    	protected AccessHistoryService accessHistoryService;
    
    	@Override
    	public void onApplicationEvent(AuthenticationSuccessEvent event) {
    		String username = event.getAuthentication().getName();
    		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
    		accessHistoryService.logSuccessfulAccess(username, userIp);
    	}
    
    }
    and
    Code:
    public class AuthenticationUnsuccessfulEvent implements ApplicationListener<AbstractAuthenticationFailureEvent> {
    
    	@Autowired
    	protected AccessHistoryService accessHistoryService;
    
    	@Override
    	public void onApplicationEvent(AbstractAuthenticationFailureEvent event) {
    		String username = event.getAuthentication().getName();
    		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
    		accessHistoryService.logUnsuccessfulAccess(username, userIp);
    	}
    
    }
    Both are registered in spring. And while the first one works as a charm the other does not. Do any of you have any clue why?

    Any help would be appreciated.

    Best regards,
    Bartosz

  • #2
    Originally posted by cichy202 View Post
    Hi!

    I want to keep a log of all successful (or not) authentications. I am using Spring Security 3.1.1 and Digest Authentication (org.springframework.security.web.authentication.www.DigestAuthenticationFilter and org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint). To catch authentication successful (or not) events I have written my own implementations:
    Code:
    public class AuthenticationSuccessfulEvent implements ApplicationListener<AuthenticationSuccessEvent> {
    
    	@Autowired
    	protected AccessHistoryService accessHistoryService;
    
    	@Override
    	public void onApplicationEvent(AuthenticationSuccessEvent event) {
    		String username = event.getAuthentication().getName();
    		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
    		accessHistoryService.logSuccessfulAccess(username, userIp);
    	}
    
    }
    and
    Code:
    public class AuthenticationUnsuccessfulEvent implements ApplicationListener<AbstractAuthenticationFailureEvent> {
    
    	@Autowired
    	protected AccessHistoryService accessHistoryService;
    
    	@Override
    	public void onApplicationEvent(AbstractAuthenticationFailureEvent event) {
    		String username = event.getAuthentication().getName();
    		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
    		accessHistoryService.logUnsuccessfulAccess(username, userIp);
    	}
    
    }
    Both are registered in spring. And while the first one works as a charm the other does not. Do any of you have any clue why?

    Any help would be appreciated.

    Best regards,
    Bartosz
    Is listening for AuthenticationFailureBadCredentialsEvent sufficient for your needs or do you really need to log the other events?

    Comment


    • #3
      To be honest I tried to listen just for AuthenticationFailureBadCredentialsEvent, and what I have found out is that DigestAuthenticationFilter and DigestAuthenticationEntryPoint catch all the exceptions that could trigger this event, and using BasicAuthenticationFilter everything is fine. Digest authentication on every exception calls authenticationEntryPoint.commence so they don't reach DefaultAuthenticationEventPublisher and never get published. It looks like bug to me.

      Comment

      Working...
      X