Authentication (un)successful events

[cichy202]

Hi!

I want to keep a log of all successful (or not) authentications. I am using Spring Security 3.1.1 and Digest Authentication (org.springframework.security.web.authentication.www.DigestAuthenticationFilter and org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint). To catch authentication successful (or not) events I have written my own implementations:

Code:

public class AuthenticationSuccessfulEvent implements ApplicationListener<AuthenticationSuccessEvent> {

	@Autowired
	protected AccessHistoryService accessHistoryService;

	@Override
	public void onApplicationEvent(AuthenticationSuccessEvent event) {
		String username = event.getAuthentication().getName();
		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
		accessHistoryService.logSuccessfulAccess(username, userIp);
	}

}

and

Code:

public class AuthenticationUnsuccessfulEvent implements ApplicationListener<AbstractAuthenticationFailureEvent> {

	@Autowired
	protected AccessHistoryService accessHistoryService;

	@Override
	public void onApplicationEvent(AbstractAuthenticationFailureEvent event) {
		String username = event.getAuthentication().getName();
		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
		accessHistoryService.logUnsuccessfulAccess(username, userIp);
	}

}

Both are registered in spring. And while the first one works as a charm the other does not. Do any of you have any clue why?

Any help would be appreciated.

Best regards,
Bartosz

[arthomps]

Hi!

I want to keep a log of all successful (or not) authentications. I am using Spring Security 3.1.1 and Digest Authentication (org.springframework.security.web.authentication.www.DigestAuthenticationFilter and org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint). To catch authentication successful (or not) events I have written my own implementations:

Code:

public class AuthenticationSuccessfulEvent implements ApplicationListener<AuthenticationSuccessEvent> {

	@Autowired
	protected AccessHistoryService accessHistoryService;

	@Override
	public void onApplicationEvent(AuthenticationSuccessEvent event) {
		String username = event.getAuthentication().getName();
		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
		accessHistoryService.logSuccessfulAccess(username, userIp);
	}

}

and

Code:

public class AuthenticationUnsuccessfulEvent implements ApplicationListener<AbstractAuthenticationFailureEvent> {

	@Autowired
	protected AccessHistoryService accessHistoryService;

	@Override
	public void onApplicationEvent(AbstractAuthenticationFailureEvent event) {
		String username = event.getAuthentication().getName();
		String userIp = ((WebAuthenticationDetails) event.getAuthentication().getDetails()).getRemoteAddress();
		accessHistoryService.logUnsuccessfulAccess(username, userIp);
	}

}

Both are registered in spring. And while the first one works as a charm the other does not. Do any of you have any clue why?

Any help would be appreciated.

Best regards,
Bartosz

Is listening for AuthenticationFailureBadCredentialsEvent sufficient for your needs or do you really need to log the other events?

[cichy202]

To be honest I tried to listen just for AuthenticationFailureBadCredentialsEvent, and what I have found out is that DigestAuthenticationFilter and DigestAuthenticationEntryPoint catch all the exceptions that could trigger this event, and using BasicAuthenticationFilter everything is fine. Digest authentication on every exception calls authenticationEntryPoint.commence so they don't reach DefaultAuthenticationEventPublisher and never get published. It looks like bug to me.