zhouyanming (Migrated from SEC-1697) said:
for large scale webapp,it's deployed on many servers,publish events cannot cross jvm,so it's useless,and those webapps need a great performance
<security:http publish-event="false" ...>
then set publishEvent=false to
and other class,please search ApplicationEventPublisherAware as keywords.
Luke Taylor said:
Have you actually measured a performance hit? I would disagree that it is useless since you still need auditing in your application, even if it is spread across multiple VMs. Note also that some features rely on event publishing to work.
If you want to suppress application publishing, you are best to do so within Spring and you can control it fully from there. You can register a null implementation of ApplicationEventMulticaster under the name "applicationEventMulticaster", and simply do nothing in the code. Or you can ignore events you aren't interested in.
in my app,I have many business event listeners,I found those event listeners will be called every request,caused by AbstractSecurityInterceptor
publishEvent(new AuthorizedEvent(object, attributes, authenticated));
in most situations,AuthorizedEvent is the most published event,almost once per request,most app needn't this event,and in my investigation,none of framework feature depends on this.
use a null implementation ApplicationEventMulticaster will be disable my business event also
I still suggest you rethink about this,maybe add a option just suppress AuthorizedEvent,thanks.
Your ApplicationEventMulticaster doesn't have to be a null implementation. As I said, you can just ignore events you are not interested in. I think it might make sense to be able to disable AuthorizedEvent publication for the security interceptor, since usually access failures are more important from an auditing perspective. This could perhaps be the default setting.
But I don't want to encourage people to disable all security-related events since authentication failures and access-denied situations are important notifications. Also, I don't want to create a namespace element since it is not a mainstream requirement.
I've modified AbstractSecurityInterceptor to disable publication of AuthorizedEvents by default. This can be overridden if desired by setting the "publishAuthorizationSuccess" property.