SEC-1697: Only publish AuthorizationFailureEvent in AsbtractSecurityInterceptor by default, make AuthorizedEvents optional #1911

Closed
spring-issuemaster opened this Issue Mar 16, 2011 · 5 comments

1 participant

@spring-issuemaster

zhouyanming (Migrated from SEC-1697) said:

for large scale webapp,it's deployed on many servers,publish events cannot cross jvm,so it's useless,and those webapps need a great performance

@spring-issuemaster

zhouyanming said:

<!-- default is true for compatibility -->
....
/security:http

then set publishEvent=false to

org.springframework.security.web.access.intercept.FilterSecurityInterceptor(org.springframework.security.access.intercept.AbstractSecurityInterceptor)
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter(org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter)
and other class,please search ApplicationEventPublisherAware as keywords.

@spring-issuemaster

Luke Taylor said:

Have you actually measured a performance hit? I would disagree that it is useless since you still need auditing in your application, even if it is spread across multiple VMs. Note also that some features rely on event publishing to work.

If you want to suppress application publishing, you are best to do so within Spring and you can control it fully from there. You can register a null implementation of ApplicationEventMulticaster under the name "applicationEventMulticaster", and simply do nothing in the code. Or you can ignore events you aren't interested in.

@spring-issuemaster

zhouyanming said:

in my app,I have many business event listeners,I found those event listeners will be called every request,caused by AbstractSecurityInterceptor
publishEvent(new AuthorizedEvent(object, attributes, authenticated));
in most situations,AuthorizedEvent is the most published event,almost once per request,most app needn't this event,and in my investigation,none of framework feature depends on this.
use a null implementation ApplicationEventMulticaster will be disable my business event also
I still suggest you rethink about this,maybe add a option just suppress AuthorizedEvent,thanks.

@spring-issuemaster

Luke Taylor said:

Your ApplicationEventMulticaster doesn't have to be a null implementation. As I said, you can just ignore events you are not interested in. I think it might make sense to be able to disable AuthorizedEvent publication for the security interceptor, since usually access failures are more important from an auditing perspective. This could perhaps be the default setting.

But I don't want to encourage people to disable all security-related events since authentication failures and access-denied situations are important notifications. Also, I don't want to create a namespace element since it is not a mainstream requirement.

@spring-issuemaster

Luke Taylor said:

I've modified AbstractSecurityInterceptor to disable publication of AuthorizedEvents by default. This can be overridden if desired by setting the "publishAuthorizationSuccess" property.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment