Describe the bug If a check via the Secured Annotation fails, the spring event: AuthorizationFailureEvent is published. If the check was successful, no AuthorizationSuccessEvent is published.
Is there another way to publish a spring event if authentication via the Secured() annotation was successful ?
Comment From: marcusdacoregio
Hi @npriebe, thanks for the report.
Can you share more detail about your setup? Which Spring Security version are you using? What annotation are you using to enable method security?
Comment From: npriebe
Hi @marcusdacoregio ,
I use this for a oauth2 resource server. This is the dependecy:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
<version>2.6.3 </version>
</dependency>
My security configuration (for resource server):
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
@Override
public void configure(HttpSecurity http) throws Exception
{
http.oauth2ResourceServer().jwt();
}
}
And my rest method:
@Secured("user_role")
@GetMapping
public void restMethod()
{
}
And I have illustrated my problem with a diagram:
The problem is that no SuccessEvent is published if the check on the Secured Annotation was successful.
This has then led to the following error:
If the JWT was valid. An "AuthenticationSuccessEvent" was published.
After that the role was checked via the Secured Annotation. And here this was invalid. So an AuthorizationFailedEvent was published afterwards.
Thus, I could no longer track via the events whether the request was now valid or invalid.
Maybe there is also a possibility to create a custom event after checking the Secured annotation? I have not found a way to do this.
Maybe there is a solution for this :)
Comment From: marcusdacoregio
Hi @npriebe, I assume that you are using the SpringAuthorizationEventPublisher, which is an implementation that only publishes AuthorizationDeniedEvent. Because AuthorizationGrantedEvents have the potential to be quite noisy, they are not published by default.
You should probably need to create an AuthorizationEventPublisher implementation to do that for you, this section of the documentation might help.