Spring Security
  1. Spring Security
  2. SEC-1697

Only publish AuthorizationFailureEvent in AsbtractSecurityInterceptor by default, make AuthorizedEvents optional

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.5
    • Fix Version/s: 3.1.0.RC2
    • Component/s: Core
    • Labels:
      None

      Description

      for large scale webapp,it's deployed on many servers,publish events cannot cross jvm,so it's useless,and those webapps need a great performance

        Activity

        Hide
        zhouyanming added a comment -

        <security:http publish-event="false" ...> <!-- default is true for compatibility -->
        ....
        </security:http>

        then set publishEvent=false to
        org.springframework.security.web.access.intercept.FilterSecurityInterceptor(org.springframework.security.access.intercept.AbstractSecurityInterceptor)
        org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter(org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter)
        and other class,please search ApplicationEventPublisherAware as keywords.

        Show
        zhouyanming added a comment - <security:http publish-event="false" ...> <!-- default is true for compatibility --> .... </security:http> then set publishEvent=false to org.springframework.security.web.access.intercept.FilterSecurityInterceptor(org.springframework.security.access.intercept.AbstractSecurityInterceptor) org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter(org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter) and other class,please search ApplicationEventPublisherAware as keywords.
        Hide
        Luke Taylor added a comment - - edited

        Have you actually measured a performance hit? I would disagree that it is useless since you still need auditing in your application, even if it is spread across multiple VMs. Note also that some features rely on event publishing to work.

        If you want to suppress application publishing, you are best to do so within Spring and you can control it fully from there. You can register a null implementation of ApplicationEventMulticaster under the name "applicationEventMulticaster", and simply do nothing in the code. Or you can ignore events you aren't interested in.

        Show
        Luke Taylor added a comment - - edited Have you actually measured a performance hit? I would disagree that it is useless since you still need auditing in your application, even if it is spread across multiple VMs. Note also that some features rely on event publishing to work. If you want to suppress application publishing, you are best to do so within Spring and you can control it fully from there. You can register a null implementation of ApplicationEventMulticaster under the name "applicationEventMulticaster", and simply do nothing in the code. Or you can ignore events you aren't interested in.
        Hide
        zhouyanming added a comment -

        in my app,I have many business event listeners,I found those event listeners will be called every request,caused by AbstractSecurityInterceptor
        publishEvent(new AuthorizedEvent(object, attributes, authenticated));
        in most situations,AuthorizedEvent is the most published event,almost once per request,most app needn't this event,and in my investigation,none of framework feature depends on this.
        use a null implementation ApplicationEventMulticaster will be disable my business event also
        I still suggest you rethink about this,maybe add a option just suppress AuthorizedEvent,thanks.

        Show
        zhouyanming added a comment - in my app,I have many business event listeners,I found those event listeners will be called every request,caused by AbstractSecurityInterceptor publishEvent(new AuthorizedEvent(object, attributes, authenticated)); in most situations,AuthorizedEvent is the most published event,almost once per request,most app needn't this event,and in my investigation,none of framework feature depends on this. use a null implementation ApplicationEventMulticaster will be disable my business event also I still suggest you rethink about this,maybe add a option just suppress AuthorizedEvent,thanks.
        Hide
        Luke Taylor added a comment -

        Your ApplicationEventMulticaster doesn't have to be a null implementation. As I said, you can just ignore events you are not interested in. I think it might make sense to be able to disable AuthorizedEvent publication for the security interceptor, since usually access failures are more important from an auditing perspective. This could perhaps be the default setting.

        But I don't want to encourage people to disable all security-related events since authentication failures and access-denied situations are important notifications. Also, I don't want to create a namespace element since it is not a mainstream requirement.

        Show
        Luke Taylor added a comment - Your ApplicationEventMulticaster doesn't have to be a null implementation. As I said, you can just ignore events you are not interested in. I think it might make sense to be able to disable AuthorizedEvent publication for the security interceptor, since usually access failures are more important from an auditing perspective. This could perhaps be the default setting. But I don't want to encourage people to disable all security-related events since authentication failures and access-denied situations are important notifications. Also, I don't want to create a namespace element since it is not a mainstream requirement.
        Hide
        Luke Taylor added a comment -

        I've modified AbstractSecurityInterceptor to disable publication of AuthorizedEvents by default. This can be overridden if desired by setting the "publishAuthorizationSuccess" property.

        Show
        Luke Taylor added a comment - I've modified AbstractSecurityInterceptor to disable publication of AuthorizedEvents by default. This can be overridden if desired by setting the "publishAuthorizationSuccess" property.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            zhouyanming
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: