Skip to content

Improve Observability #10964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
6 of 18 tasks
jzheaux opened this issue Mar 11, 2022 · 1 comment
Open
6 of 18 tasks

Improve Observability #10964

jzheaux opened this issue Mar 11, 2022 · 1 comment
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core theme: observability type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Mar 11, 2022
edited
Loading

Making Spring Security's actions observable at runtime will help make applications more secure. Following recommendations from OWASP, we should:

  • Add authorization events
  • Add OAuth2 client authorization events
  • Add defense violation events (CSP violation, CSRF violation, firewall rejection, etc.)
  • Add user/password lifecycle events
  • Consider introducing secure header report-uri endpoints

It would be helpful to have a marker class that security events can be identified by:

  • Add SecurityEvent

When these events are fired, Spring Security should:

  • Pipe authentication events to Micrometer
  • Pipe authorization events to Micrometer
  • Pipe defense violation events to Micrometer
  • Pipe session management events to Micrometer
  • Pipe custom security events to Micrometer

It can also help applications evaluate performance and usage. To that end we should:
@jzheaux jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 11, 2022
@jzheaux jzheaux added this to the 6.0.x milestone Mar 11, 2022
@jgrandja jgrandja mentioned this issue Mar 25, 2022
Closed
@jzheaux jzheaux self-assigned this Jul 5, 2022
@jzheaux jzheaux moved this to In Progress in Spring Security Team Sep 20, 2022
@jzheaux jzheaux mentioned this issue Sep 20, 2022
Closed
@jzheaux jzheaux modified the milestones: 6.0.x, 6.0.0-RC1 Sep 21, 2022
@jzheaux
Copy link
Contributor Author

jzheaux commented Oct 13, 2022

Before proceeding on piping events, it's important to understand the following two scenarios:

  • How does this complement (or not) Spring Actuator
  • What does event collection look like when events are published asynchronously

jzheaux added a commit to jzheaux/spring-security that referenced this issue Oct 13, 2022
@jzheaux
Document Observability Support
fe96a62 
Issue spring-projectsgh-10964
@jzheaux jzheaux removed this from the 6.0.0-RC1 milestone Oct 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core theme: observability type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @marcusdacoregio