TL;DR
The classes that publish the AuditEvent object are instantiated by AuditAutoConfiguration which is conditional on an AuditEventRepository. If you don’t want to store the events, e.g., in an InMemoryAuditEventRepository, then you need to either: 1) manually instantiate AuthenticationAuditListener and AuthorizationAuditListener, or 2) listen for AbstractAuthorizationEvent and build up from there.
The Slightly Longer Version
There are a lot of articles on the web about how you can get Spring Security audit events simply by including the spring-boot-starter-actuator artifact, and then creating a listener.
@Component
public class LoginAttemptsLogger {
@EventListener
public void auditEventHappened(
AuditApplicationEvent auditApplicationEvent) {
...
}
}
Not so fast.
If you go back to the Spring docs it does actually point out that:
Auditing can be enabled by providing a bean of type AuditEventRepository in your application’s configuration.
So, if you want the nicely tidied up AuditEvent you have to either
- Provide an implementation of the
AuditEventRepository - Manually instantiate
AuthenticationAuditListenerandAuthorizationAuditListener
@Configuration
public class AuditEventConfiguration {
@Bean
public AuthenticationAuditListener authenticationAuditListener() throws Exception {
return new AuthenticationAuditListener();
}
@Bean
public AuthorizationAuditListener authorizationAuditListener() throws Exception {
return new AuthorizationAuditListener();
}
}
Or, you can go deeper and listen for AbstractAuthorizationEvent.