According to this article, and many others on the web, Spring Boot Actuator provides out of box support for Security Auditing, by using the Actuator endpoint /auditevents
and by listening to the AuditApplicationEvents
.
Im testing the Spring Boot v2.1.0.RC1
with Spring Security v5.1.1
and the OAuth2 Resource Server for validation of JWT and user authentication, see the code at Github ismarslomic/spring-security-resourceserver-example.
The authentication/authorization part work as expected, with use of Google as IDP. However, AUTHORIZATION_SUCCESS
event is never fired from Spring Boot Actuator. The only event fired and caught by LoginAttemptsLogger is the AUTHORIZATION_FAILURE
, when I drop adding JWT in Authorization
header.
Anything Im missing?
This showed to be a bug in Spring Security, which has been resolved in version 5.1.2
and 5.0.10
. See more info at https://github.com/spring-projects/spring-boot/issues/14921