search

spring-projects / spring-boot

Spring Boot helps you to create Spring-powered, production-grade applications and services with absolute minimum fuss.
https://spring.io/projects/spring-boot
Apache License 2.0
75.18k stars 40.68k forks source link

AuthorizationAuditListener.onAuthorizationFailureEvent() should store accessed resource into event data #10104

Open gmarziou opened 7 years ago

gmarziou commented 7 years ago

Hello, this is an enhancement request for actuator security audit.

Currently, when an access is denied for a REST endpoint, AuthorizationAuditListener publishes an AuditEvent with timestamp, principal, type and data map which stores a subset of the original event data: exception class, exception message, authentication details.

I think this data map should also contains the URI of the resource that was access denied which can be extracted from event.getSource().

        Object source = event.getSource();
        if (source instanceof FilterInvocation) {
            String requestUrl = ((FilterInvocation) source).getRequestUrl();
            data.put("url", requestUrl);
        }

While it is relatively easy to extend AuthorizationAuditListener to add this data, it seems to be a common use case that could be part of the default implementation.

Thanks

wilkinsona commented 7 years ago

it seems to be a common use case that could be part of the default implementation

This is the first time I've seen anyone express an interest in this functionality so I'm not sure that it's a particularly common use case. Can you describe in a bit more detail what it is that you'd like to do with the URL and why you think it should be capture by default?

gmarziou commented 7 years ago

Our application uses a microservices architecture based on Spring Cloud / JHipster, so we use a logstash appender to centralize our logs in ELK where we want to have a dashboard listing all security events. Having the URL (and HTTP method) in event will help to detect REST resources that have been accessed with wrong authorities.

I think it would be useful even without logstash if several instances of an application use a JPA AuditEventRepository over a shared database.

gmarziou commented 7 years ago

No worries, I'll implement it in JHipster

ZoomAll commented 6 years ago

Can you describe in a bit more detail what it is that you'd like to do with the URL and why you think it should be capture by default?

Hello Andy.

I believe that without specifying the resource, AuditEvent loses its meaning. Look at the example:

AuditEvent [timestamp=Thu Nov 30 18:16:23 MSK 2017, principal=user, type=AUTHENTICATION_SUCCESS, data={details=remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>}]

AuditEvent [timestamp=Thu Nov 30 18:16:23 MSK 2017, principal=user, type=AUTHENTICATION_SUCCESS, data={details=remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>}]

AuditEvent [timestamp=Thu Nov 30 18:16:23 MSK 2017, principal=user, type=AUTHORIZATION_FAILURE, data={details=remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]

If type *_SUCCESS, nobody is interested in this event. But if not?

AUTHORIZATION_FAILURE, let's see:

remoteAddress=127.0.0.1 == **ok!**
principal=user == **ok!**
message=Access is denied == **ok!**

And that's it? And what specific resource is denied access? That is, there is information, but it is meaningless without the resource that was accessed.