发表新帖
发表新帖

Recording logins with Spring Security

前端 未结
关注
3 620
一生所求
一生所求 2021-01-05 05:40

I want to log every login in my web application. I was able to access the logins which take place through UsernamePasswordAuthenticationFilter but I don\'t know

相关标签:
3条回答
  • Happy的楠姐
    2021-01-05 06:20

    I think in your case will help solution when you will use your custom filter, which will intercept every request to your application. In this filter you can log username for every request.

    Here I described how to add your custom filter. You just need to change functionality to what you want. And don't forhet to put your filter after security filter chain in web.xml.

    0 讨论(0)
  • 慢半拍i
    2021-01-05 06:21

    The best way of logging authentication success and failures is to use a Spring ApplicationListener.

    Spring Security publishes various events for authentication success and failure which you can listen for. Events are also published when access is denied to a resource.

    You can look at LoggerListener as an example. Start by adding one of those to your application context and it will automatically log authentication events at warn level.

    Regarding remember-me logins, if you logout and then access the site immediately afterwards, and are re-authenticated using a remember-me cookie, then technically that is the same as any other remember-me authentication, so there's not much you can do about it.

    However, if your logout success URL is passing through the remember-me filter, and that is how the new session is being created (without any additional action from the user), then simply omit it that page from the security filter chain.

    0 讨论(0)
  • 不思量自难忘°
    2021-01-05 06:36

    For logging each sucessful login i think best way is to create LoginSucessHandler and specify authentication-success-handler for normal login as well as remember-me. i have done this with below code and configuration. 

    @Service
public class LoginSucessHandler extends
        SavedRequestAwareAuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
            HttpServletResponse response, Authentication authentication)
            throws ServletException, IOException {
        User user = (User) authentication.getPrincipal();
            // record login success of user
        super.onAuthenticationSuccess(request, response, authentication);
    }

}

<http auto-config="true" use-expressions="true">
    <form-login login-page="/login"
        authentication-failure-url="/login.hst?error=true"
        **authentication-success-handler-ref="loginSucessHandler"** />
    <logout invalidate-session="true" logout-success-url="/home"
        logout-url="/logout" />
    <remember-me key="jbcp" **authentication-success-handler-ref="loginSucessHandler"**/>
    <session-management>
    <concurrency-control max-sessions="1" />
</session-management>
</http>
    0 讨论(0)
 看不清?
提交回复
热议问题