Making Spring Security's actions observable at runtime will help make applications more secure. Following recommendations from OWASP, we should:
- [x] Add authorization events
- [ ] Add OAuth2 client authorization events
- [ ] Add defense violation events (CSP violation, CSRF violation, firewall rejection, etc.)
- [ ] Add user/password lifecycle events
- [ ] Consider introducing secure header
report-uriendpoints
It would be helpful to have a marker class that security events can be identified by:
- [ ] Add SecurityEvent
When these events are fired, Spring Security should:
- [ ] Pipe authentication events to Micrometer
- [ ] Pipe authorization events to Micrometer
- [ ] Pipe defense violation events to Micrometer
- [ ] Pipe session management events to Micrometer
- [ ] Pipe custom security events to Micrometer
It can also help applications evaluate performance and usage. To that end we should:
- [x] #11989
- [ ] Instrument
OAuth2AuthorizedClientProvider - [x] #11990
- [x] #11991
- [x] #11992
- [ ] #11993
- [x] #11994
Comment From: jzheaux
Before proceeding on piping events, it's important to understand the following two scenarios:
- How does this complement (or not) Spring Actuator
- What does event collection look like when events are published asynchronously