spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Publish Authorization Events on WebFlux

Open joshiste opened this issue 8 years ago • 6 comments

When I use the reactive WebFilter in a webflux application no AuthenticationEvents are published

joshiste avatar Jan 12 '18 13:01 joshiste

Thanks for the report. This is currently blocked by https://jira.spring.io/browse/SPR-16481

rwinch avatar Feb 09 '18 16:02 rwinch

@rwinch it is extremely frustrating for your users that this just silently fails with no clue as to why. If you are claiming that Spring Security works for a reactive stack, please update your documentation to be extremely explicit about limitations. Auditing is considered to be a first class capability of Spring Security.

Given @jhoeller comments on https://jira.spring.io/browse/SPR-16481 can you please clarify if there is a workaround or listener class implementation that someone can do in a Reactive Stack with Spring Security. I'm currently working on an application where auditing is not optional.

wyaeld avatar Jul 12 '18 23:07 wyaeld

An overdue response to @wyaeld Just because Spring Security does not publish events, doesn't mean you cannot achieve this. You are able to easily plug in custom success/failure handlers which can publish the events.

rwinch avatar Dec 03 '20 21:12 rwinch

@rwinch Appreciate the reply. Not sure if we are on the same page. The issue that was a core feature of Spring Security no longer worked, without any documentation, using your reactive implementation.

That's a pretty big issue for someone depending on the reliability of your components. As a brief glance, it doesn't appear documentation currently indicates any caveats, but since this doesn't appear to have been treated as a major problem. The handful of linked issues appears to indicate some others are still struggling with it, nearly 3 years after it first reported.

The lack of support or response on this issue forced us to reassess our framework choices, and ultimately select something with a smaller, but more reasonable to understand and maintain implementation of reactive patterns.

wyaeld avatar Dec 04 '20 00:12 wyaeld

Thanks for the reply @wyaeld Sorry for the delayed response. Glad you found something that solved your problem.

rwinch avatar Dec 04 '20 04:12 rwinch

Hi all, I've reworded this ticket to be more clear that it will address the publishing of authorization events on WebFlux. We will probably follow the same approach as the servlet side https://github.com/spring-projects/spring-security/commit/bdd5f86526f010fbb826bd049c4c7eb798296ec7

marcusdacoregio avatar Dec 20 '23 10:12 marcusdacoregio

Are there any updates on this issue? I see a PR yet it was closed without any visible outcomes.

MarcinAman avatar Mar 26 '25 16:03 MarcinAman