授权事件

对于每个被拒绝的授权，都会触发一个 AuthorizationDeniedEvent。此外，也可以为被授予的授权触发一个 AuthorizationGrantedEvent。spring-doc.cadn.net.cn

要监听这些事件，您必须首先发布一个 AuthorizationEventPublisher。spring-doc.cadn.net.cn

Spring Security 的 SpringAuthorizationEventPublisher 可能就足够了。它使用 Spring 的 ApplicationEventPublisher 来发布授权事件：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Bean
public AuthorizationEventPublisher authorizationEventPublisher
        (ApplicationEventPublisher applicationEventPublisher) {
    return new SpringAuthorizationEventPublisher(applicationEventPublisher);
}

@Bean
fun authorizationEventPublisher
        (applicationEventPublisher: ApplicationEventPublisher?): AuthorizationEventPublisher {
    return SpringAuthorizationEventPublisher(applicationEventPublisher)
}

然后，你可以使用 Spring 的 @EventListener 支持：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Component
public class AuthenticationEvents {

    @EventListener
    public void onFailure(AuthorizationDeniedEvent failure) {
		// ...
    }
}

@Component
class AuthenticationEvents {

    @EventListener
    fun onFailure(failure: AuthorizationDeniedEvent?) {
        // ...
    }
}

授权授予事件

由于AuthorizationGrantedEvent事件可能会产生大量日志，因此默认情况下不会发布这些事件。spring-doc.cadn.net.cn

事实上，发布这些事件很可能需要您自行实现一些业务逻辑，以确保您的应用程序不会被大量冗余的授权事件所淹没。spring-doc.cadn.net.cn

您可以提供自己的谓词（predicate）来过滤成功事件。例如，以下发布者仅发布需要 ROLE_ADMIN 角色的授权许可：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Bean
AuthorizationEventPublisher authorizationEventPublisher() {
    SpringAuthorizationEventPublisher eventPublisher = new SpringAuthorizationEventPublisher();
    eventPublisher.setShouldPublishEvent((result) -> {
        if (!result.isGranted()) {
            return true;
        }
        if (result instanceof AuthorityAuthorizationDecision decision) {
            Collection<GrantedAuthority> authorities = decision.getAuthorities();
            return AuthorityUtils.authorityListToSet(authorities).contains("ROLE_ADMIN");
        }
        return false;
    });
    return eventPublisher;
}

@Bean
fun authorizationEventPublisher(): AuthorizationEventPublisher {
    val eventPublisher = SpringAuthorizationEventPublisher()
    eventPublisher.setShouldPublishEvent { (result) ->
        if (!result.isGranted()) {
            return true
        }
        if (decision is AuthorityAuthorizationDecision) {
            val authorities = decision.getAuthorities()
            return AuthorityUtils.authorityListToSet(authorities).contains("ROLE_ADMIN")
        }
        return false
    }
    return eventPublisher
}