Spring Security audit events not firing

Posted on February 17, 2021
Tags: spring, java

TL;DR

The classes that publish the AuditEvent object are instantiated by AuditAutoConfiguration which is conditional on an AuditEventRepository. If you don’t want to store the events, e.g., in an InMemoryAuditEventRepository, then you need to either: 1) manually instantiate AuthenticationAuditListener and AuthorizationAuditListener, or 2) listen for AbstractAuthorizationEvent and build up from there.

The Slightly Longer Version

There are a lot of articles on the web about how you can get Spring Security audit events simply by including the spring-boot-starter-actuator artifact, and then creating a listener.

@Component
public class LoginAttemptsLogger {

    @EventListener
    public void auditEventHappened(
      AuditApplicationEvent auditApplicationEvent) {
          ...
      }
}

Not so fast.

If you go back to the Spring docs it does actually point out that:

Auditing can be enabled by providing a bean of type AuditEventRepository in your application’s configuration.

So, if you want the nicely tidied up AuditEvent you have to either

  1. Provide an implementation of the AuditEventRepository
  2. Manually instantiate AuthenticationAuditListener and AuthorizationAuditListener
@Configuration
public class AuditEventConfiguration {
    @Bean
    public AuthenticationAuditListener authenticationAuditListener() throws Exception {
        return new AuthenticationAuditListener();
    }

    @Bean
    public AuthorizationAuditListener authorizationAuditListener() throws Exception {
        return new AuthorizationAuditListener();
    }
}

Or, you can go deeper and listen for AbstractAuthorizationEvent.