Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1697: Only publish AuthorizationFailureEvent in AsbtractSecurityInterceptor by default, make AuthorizedEvents optional #1911

spring-issuemaster opened this Issue Mar 16, 2011 · 5 comments


None yet
1 participant

zhouyanming (Migrated from SEC-1697) said:

for large scale webapp,it's deployed on many servers,publish events cannot cross jvm,so it's useless,and those webapps need a great performance

zhouyanming said:

<security:http publish-event="false" ...>

then set publishEvent=false to
and other class,please search ApplicationEventPublisherAware as keywords.

Luke Taylor said:

Have you actually measured a performance hit? I would disagree that it is useless since you still need auditing in your application, even if it is spread across multiple VMs. Note also that some features rely on event publishing to work.

If you want to suppress application publishing, you are best to do so within Spring and you can control it fully from there. You can register a null implementation of ApplicationEventMulticaster under the name "applicationEventMulticaster", and simply do nothing in the code. Or you can ignore events you aren't interested in.

zhouyanming said:

in my app,I have many business event listeners,I found those event listeners will be called every request,caused by AbstractSecurityInterceptor
publishEvent(new AuthorizedEvent(object, attributes, authenticated));
in most situations,AuthorizedEvent is the most published event,almost once per request,most app needn't this event,and in my investigation,none of framework feature depends on this.
use a null implementation ApplicationEventMulticaster will be disable my business event also
I still suggest you rethink about this,maybe add a option just suppress AuthorizedEvent,thanks.

Luke Taylor said:

Your ApplicationEventMulticaster doesn't have to be a null implementation. As I said, you can just ignore events you are not interested in. I think it might make sense to be able to disable AuthorizedEvent publication for the security interceptor, since usually access failures are more important from an auditing perspective. This could perhaps be the default setting.

But I don't want to encourage people to disable all security-related events since authentication failures and access-denied situations are important notifications. Also, I don't want to create a namespace element since it is not a mainstream requirement.

Luke Taylor said:

I've modified AbstractSecurityInterceptor to disable publication of AuthorizedEvents by default. This can be overridden if desired by setting the "publishAuthorizationSuccess" property.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment