此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.4.1spring-doc.cn

可观察性

Spring Security 与开箱即用的 Spring Observability 集成以进行跟踪;尽管配置收集指标也非常简单。spring-doc.cn

描图

当存在 bean 时, Spring Security 会为以下对象创建跟踪:ObservationRegistryspring-doc.cn

引导集成

例如,考虑一个简单的 Boot 应用程序:spring-doc.cn

@SpringBootApplication
public class MyApplication {
	@Bean
	public UserDetailsService userDetailsService() {
		return new InMemoryUserDetailsManager(
				User.withDefaultPasswordEncoder()
						.username("user")
						.password("password")
						.authorities("app")
						.build()
		);
	}

	@Bean
	ObservationRegistryCustomizer<ObservationRegistry> addTextHandler() {
		return (registry) -> registry.observationConfig().observationHandler(new ObservationTextPublisher());
	}

	public static void main(String[] args) {
		SpringApplication.run(ListenerSamplesApplication.class, args);
	}
}
@SpringBootApplication
class MyApplication {
	@Bean
	fun userDetailsService(): UserDetailsService {
		InMemoryUserDetailsManager(
				User.withDefaultPasswordEncoder()
						.username("user")
						.password("password")
						.authorities("app")
						.build()
		);
	}

	@Bean
	fun addTextHandler(): ObservationRegistryCustomizer<ObservationRegistry> {
		return registry: ObservationRegistry -> registry.observationConfig()
				.observationHandler(ObservationTextPublisher());
	}

	fun main(args: Array<String>) {
		runApplication<MyApplication>(*args)
	}
}

以及相应的请求:spring-doc.cn

?> http -a user:password :8080

将产生以下输出(为清楚起见,添加了缩进):spring-doc.cn

START - name='http.server.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@687e16d1', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.001779024, duration(nanos)=1779024.0, startTimeNanos=91695917264958}']
	START - name='spring.security.http.chains', contextualName='spring.security.http.chains.before', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='before'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@79f554a5', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=7.42147E-4, duration(nanos)=742147.0, startTimeNanos=91695947182029}']
	... skipped for brevity ...
	STOP - name='spring.security.http.chains', contextualName='spring.security.http.chains.before', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='before'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@79f554a5', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.014771848, duration(nanos)=1.4771848E7, startTimeNanos=91695947182029}']
		START - name='spring.security.authentications', contextualName='null', error='null', lowCardinalityKeyValues=[authentication.failure.type='Optional', authentication.method='ProviderManager', authentication.request.type='UsernamePasswordAuthenticationToken'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@4d4b2b56', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=7.09759E-4, duration(nanos)=709759.0, startTimeNanos=91696094477504}']
		... skipped for brevity ...
		STOP - name='spring.security.authentications', contextualName='null', error='null', lowCardinalityKeyValues=[authentication.failure.type='Optional', authentication.method='ProviderManager', authentication.request.type='UsernamePasswordAuthenticationToken', authentication.result.type='UsernamePasswordAuthenticationToken'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@4d4b2b56', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.895141386, duration(nanos)=8.95141386E8, startTimeNanos=91696094477504}']
		START - name='spring.security.authorizations', contextualName='null', error='null', lowCardinalityKeyValues=[object.type='Servlet3SecurityContextHolderAwareRequestWrapper'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@6d834cc7', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=3.0965E-4, duration(nanos)=309650.0, startTimeNanos=91697034893983}']
		... skipped for brevity ...
		STOP - name='spring.security.authorizations', contextualName='null', error='null', lowCardinalityKeyValues=[authorization.decision='true', object.type='Servlet3SecurityContextHolderAwareRequestWrapper'], highCardinalityKeyValues=[authentication.authorities='[app]', authorization.decision.details='AuthorizationDecision [granted=true]'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@6d834cc7', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.02084809, duration(nanos)=2.084809E7, startTimeNanos=91697034893983}']
		START - name='spring.security.http.secured.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@649c5ec3', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=2.67878E-4, duration(nanos)=267878.0, startTimeNanos=91697059819304}']
		... skipped for brevity ...
		STOP - name='spring.security.http.secured.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@649c5ec3', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.090753322, duration(nanos)=9.0753322E7, startTimeNanos=91697059819304}']
	START - name='spring.security.http.chains', contextualName='spring.security.http.chains.after', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='after'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@47af8207', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=5.31832E-4, duration(nanos)=531832.0, startTimeNanos=91697152857268}']
	... skipped for brevity ...
	STOP - name='spring.security.http.chains', contextualName='spring.security.http.chains.after', error='null', lowCardinalityKeyValues=[chain.position='17', chain.size='17', current.filter.name='DisableEncodeUrlFilter', filter.section='after'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@47af8207', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.007689382, duration(nanos)=7689382.0, startTimeNanos=91697152857268}']
STOP - name='http.server.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@687e16d1', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=1.245858319, duration(nanos)=1.245858319E9, startTimeNanos=91695917264958}']

手动配置

对于非 Spring Boot 应用程序,或者要覆盖现有的 Boot 配置,您可以发布自己的应用程序,Spring Security 仍将采用它。ObservationRegistryspring-doc.cn

@SpringBootApplication
public class MyApplication {
	@Bean
	public UserDetailsService userDetailsService() {
		return new InMemoryUserDetailsManager(
				User.withDefaultPasswordEncoder()
						.username("user")
						.password("password")
						.authorities("app")
						.build()
		);
	}

	@Bean
	ObservationRegistry<ObservationRegistry> observationRegistry() {
		ObservationRegistry registry = ObservationRegistry.create();
		registry.observationConfig().observationHandler(new ObservationTextPublisher());
		return registry;
	}

	public static void main(String[] args) {
		SpringApplication.run(ListenerSamplesApplication.class, args);
	}
}
@SpringBootApplication
class MyApplication {
	@Bean
	fun userDetailsService(): UserDetailsService {
		InMemoryUserDetailsManager(
				User.withDefaultPasswordEncoder()
						.username("user")
						.password("password")
						.authorities("app")
						.build()
		);
	}

	@Bean
	fun observationRegistry(): ObservationRegistry<ObservationRegistry> {
		ObservationRegistry registry = ObservationRegistry.create()
		registry.observationConfig().observationHandler(ObservationTextPublisher())
		return registry
	}

	fun main(args: Array<String>) {
		runApplication<MyApplication>(*args)
	}
}
<sec:http auto-config="true" observation-registry-ref="ref">
	<sec:intercept-url pattern="/**" access="authenticated"/>
</sec:http>

<!-- define and configure ObservationRegistry bean -->

禁用可观测性

如果您不需要任何 Spring Security 观察结果,则可以在 Spring Boot 应用程序中发布一个 . 但是,这可能会关闭 Spring Security 以外的其他 Observations。ObservationRegistry.NOOP@Beanspring-doc.cn

相反,您可以使用如下所示的 provided 进行更改:ObservationRegistryObservationPredicatespring-doc.cn

@Bean
ObservationRegistryCustomizer<ObservationRegistry> noSpringSecurityObservations() {
	ObservationPredicate predicate = (name, context) -> !name.startsWith("spring.security.");
	return (registry) -> registry.observationConfig().observationPredicate(predicate);
}
@Bean
fun noSpringSecurityObservations(): ObservationRegistryCustomizer<ObservationRegistry> {
	ObservationPredicate predicate = (name: String, context: Observation.Context) -> !name.startsWith("spring.security.")
	(registry: ObservationRegistry) -> registry.observationConfig().observationPredicate(predicate)
}
没有用于禁用具有 XML 支持的观测值的工具。 相反,只需不设置 该属性即可。observation-registry-ref

跟踪列表

Spring Security 在每个请求上跟踪以下 span:spring-doc.cn

  1. spring.security.http.requests- 包装整个过滤器链(包括请求)的 spanspring-doc.cn

  2. spring.security.http.chains.before- 包装安全过滤器的接收部分的 spanspring-doc.cn

  3. spring.security.http.chains.after- 包装安全过滤器的返回部分的 spanspring-doc.cn

  4. spring.security.http.secured.requests- 包装现在保护的应用程序请求的 SPANspring-doc.cn

  5. spring.security.http.unsecured.requests- 包装 Spring Security 不保护的请求的 spanspring-doc.cn

  6. spring.security.authentications- 包装身份验证尝试的 SPANspring-doc.cn

  7. spring.security.authorizations- 包装授权尝试的 SPANspring-doc.cn

spring.security.http.chains.before + spring.security.http.secured.requests + spring.security.http.chains.after = spring.security.http.requests spring.security.http.chains.before + spring.security.http.chains.after= Spring Security 的请求部分