Improve Observability

[jzheaux]

Making Spring Security's actions observable at runtime will help make applications more secure. Following recommendations from OWASP, we should:

• Add authorization events
• Add OAuth2 client authorization events
• Add defense violation events (CSP violation, CSRF violation, firewall rejection, etc.)
• Add user/password lifecycle events
• Consider introducing secure header report-uri endpoints

It would be helpful to have a marker class that security events can be identified by:

• Add SecurityEvent

When these events are fired, Spring Security should:

• Pipe authentication events to Micrometer
• Pipe authorization events to Micrometer
• Pipe defense violation events to Micrometer
• Pipe session management events to Micrometer
• Pipe custom security events to Micrometer

It can also help applications evaluate performance and usage. To that end we should:

• Instrument (Reactive)AuthenticationManager #11989
• Instrument OAuth2AuthorizedClientProvider
• Instrument (Reactive)AuthorizationManager #11990
• Instrument (Web)FilterChainProxy #11991
• Mark Observations with security context events #11992
• Mark Observations with Csrf Failures #11993
• Mark Observations with Firewall Failures #11994

[jzheaux]

Before proceeding on piping events, it's important to understand the following two scenarios:

• How does this complement (or not) Spring Actuator
• What does event collection look like when events are published asynchronously