Merge pull request #6 from smartSenseSolutions/feat/handle-event-when-authorization-header-is-missing

nitin-vavdiya · web-flow · commit 37e3dce234c9 · 2024-06-03T10:28:33.000+05:30
feat(HandleEvents): Handle events for authorization/authentication failure.
diff --git a/ss-web/src/main/java/ss/mod/demo/web/config/security/AuthenticationConfig.java b/ss-web/src/main/java/ss/mod/demo/web/config/security/AuthenticationConfig.java
@@ -6,9 +6,12 @@
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
+import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -97,5 +100,18 @@ public CorsConfigurationSource corsConfigurationSource() {
         return source;
     }
 
+    /**
+     * This bean is used to publish authentication events, such as successful or failed login attempts.
+     *
+     * @param applicationEventPublisher - This instance is used to publish events to the application context.
+     * @return An instance of DefaultAuthenticationEventPublisher, which implements the AuthenticationEventPublisher interface.
+     * @see AuthenticationEventPublisher
+     * @see DefaultAuthenticationEventPublisher
+     * @see ApplicationEventPublisher
+     */
+    @Bean
+    public AuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+        return new DefaultAuthenticationEventPublisher(applicationEventPublisher);
+    }
 }
 
diff --git a/ss-web/src/main/java/ss/mod/demo/web/config/security/SecurityEvents.java b/ss-web/src/main/java/ss/mod/demo/web/config/security/SecurityEvents.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2024-25 Smart Sense Consulting Solutions Pvt. Ltd.
+ */
+package ss.mod.demo.web.config.security;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.event.EventListener;
+import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.stereotype.Component;
+
+import java.util.List;
+
+/**
+ * This class is responsible for handling security events such as failed authentication and authorization.
+ * It uses Spring's EventListener annotation to listen for specific events and logs relevant information.
+ */
+@Component
+@Slf4j
+public class SecurityEvents {
+
+    /**
+     * Event listener method to handle failed authentication events.
+     * This method logs a message when a failed authentication occurs due to an invalid 'Bearer' token.
+     *
+     * @param failures It's containing details about the failed authentication.
+     */
+    @EventListener
+    public void onFailure(AbstractAuthenticationFailureEvent failures) {
+        String excMessage = failures.getException().getMessage();
+        log.warn("Failed Authentication --> Invalid 'Bearer' token. {}", excMessage);
+    }
+
+    /**
+     * Event listener method to handle failed authorization events.
+     * This method logs a message when a failed authorization occurs due to a missing 'Authorization' header.
+     *
+     * @param failure It's containing details about the failed authorization.
+     */
+    @EventListener
+    public void onFailure(AuthorizationDeniedEvent<Object> failure) {
+        AuthorizationDecision decision = failure.getAuthorizationDecision();
+        if (decision instanceof AuthorityAuthorizationDecision authorityAuthorizationDecision) {
+            List<GrantedAuthority> authorities = authorityAuthorizationDecision.getAuthorities().stream().toList();
+            log.warn("Failed Authorization --> Missing 'Authorization' header OR Required roles are missing in the token. Required roles are {}", authorities);
+        } else {
+            log.warn("Failed Authorization --> Some issue in authorization.");
+        }
+    }
+}
