Auditing
有了 Spring Security,Spring Boot Actuator 便拥有了一个灵活的审计框架,可发布事件(默认情况下是 “authentication success”、“failure” 和 “access denied” 异常)。此特性对于报告、以及针对认证失败实施锁定策略而言非常有用。
Once Spring Security is in play, Spring Boot Actuator has a flexible audit framework that publishes events (by default, “authentication success”, “failure” and “access denied” exceptions). This feature can be very useful for reporting and for implementing a lock-out policy based on authentication failures.
可以通过在应用程序配置中提供类型为 AuditEventRepository 的 Bean 来启用审计。为方便起见,Spring Boot 提供了 InMemoryAuditEventRepository。InMemoryAuditEventRepository 功能有限,我们建议仅在开发环境中使用。对于生产环境,请考虑创建自己的替代 AuditEventRepository 实现。
You can enable auditing by providing a bean of type AuditEventRepository in your application’s configuration.
For convenience, Spring Boot offers an InMemoryAuditEventRepository.
InMemoryAuditEventRepository has limited capabilities, and we recommend using it only for development environments.
For production environments, consider creating your own alternative AuditEventRepository implementation.
Custom Auditing
要自定义发布的安全事件,可以提供 AbstractAuthenticationAuditListener 和 AbstractAuthorizationAuditListener 的自己的实现。
To customize published security events, you can provide your own implementations of AbstractAuthenticationAuditListener and AbstractAuthorizationAuditListener.
还可以使用审计服务来处理自己的业务事件。为此,可以将 AuditEventRepository Bean 注入你自己的组件中并直接使用,或者发布带有 Spring ApplicationEventPublisher 的 AuditApplicationEvent(通过实现 ApplicationEventPublisherAware)。
You can also use the audit services for your own business events.
To do so, either inject the AuditEventRepository bean into your own components and use that directly or publish an AuditApplicationEvent with the Spring ApplicationEventPublisher (by implementing ApplicationEventPublisherAware).