Spring Security audit events not firing

Posted on February 17, 2021
Tags: spring, java


The classes that publish the AuditEvent object are instantiated by AuditAutoConfiguration which is conditional on an AuditEventRepository. If you don’t want to store the events, e.g., in an InMemoryAuditEventRepository, then you need to either: 1) manually instantiate AuthenticationAuditListener and AuthorizationAuditListener, or 2) listen for AbstractAuthorizationEvent and build up from there.

The Slightly Longer Version

There are a lot of articles on the web about how you can get Spring Security audit events simply by including the spring-boot-starter-actuator artifact, and then creating a listener.

public class LoginAttemptsLogger {

    public void auditEventHappened(
      AuditApplicationEvent auditApplicationEvent) {

Not so fast.

If you go back to the Spring docs it does actually point out that:

Auditing can be enabled by providing a bean of type AuditEventRepository in your application’s configuration.

So, if you want the nicely tidied up AuditEvent you have to either

  1. Provide an implementation of the AuditEventRepository
  2. Manually instantiate AuthenticationAuditListener and AuthorizationAuditListener
public class AuditEventConfiguration {
    public AuthenticationAuditListener authenticationAuditListener() throws Exception {
        return new AuthenticationAuditListener();

    public AuthorizationAuditListener authorizationAuditListener() throws Exception {
        return new AuthorizationAuditListener();

Or, you can go deeper and listen for AbstractAuthorizationEvent.