可觀察性
Spring Security 開箱即用地與 Spring Observability 整合以進行追蹤;儘管配置起來也很簡單以收集指標。
追蹤
當存在 ObservationRegistry bean 時,Spring Security 會為以下項目建立追蹤:
-
篩選器鏈
-
AuthenticationManager,以及 -
AuthorizationManager
Boot 整合
例如,考慮一個簡單的 Boot 應用程式
-
Java
-
Kotlin
@SpringBootApplication
public class MyApplication {
@Bean
public UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
ObservationRegistryCustomizer<ObservationRegistry> addTextHandler() {
return (registry) -> registry.observationConfig().observationHandler(new ObservationTextPublisher());
}
public static void main(String[] args) {
SpringApplication.run(ListenerSamplesApplication.class, args);
}
}@SpringBootApplication
class MyApplication {
@Bean
fun userDetailsService(): UserDetailsService {
InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
fun addTextHandler(): ObservationRegistryCustomizer<ObservationRegistry> {
return registry: ObservationRegistry -> registry.observationConfig()
.observationHandler(ObservationTextPublisher());
}
fun main(args: Array<String>) {
runApplication<MyApplication>(*args)
}
}以及對應的請求
?> http -a user:password :8080將產生以下輸出(為了清晰起見添加了縮排)
START - name='http.server.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@687e16d1', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.001779024, duration(nanos)=1779024.0, startTimeNanos=91695917264958}']
START - name='spring.security.http.chains', contextualName='spring.security.http.chains.before', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='before'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@79f554a5', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=7.42147E-4, duration(nanos)=742147.0, startTimeNanos=91695947182029}']
... skipped for brevity ...
STOP - name='spring.security.http.chains', contextualName='spring.security.http.chains.before', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='before'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@79f554a5', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.014771848, duration(nanos)=1.4771848E7, startTimeNanos=91695947182029}']
START - name='spring.security.authentications', contextualName='null', error='null', lowCardinalityKeyValues=[authentication.failure.type='Optional', authentication.method='ProviderManager', authentication.request.type='UsernamePasswordAuthenticationToken'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@4d4b2b56', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=7.09759E-4, duration(nanos)=709759.0, startTimeNanos=91696094477504}']
... skipped for brevity ...
STOP - name='spring.security.authentications', contextualName='null', error='null', lowCardinalityKeyValues=[authentication.failure.type='Optional', authentication.method='ProviderManager', authentication.request.type='UsernamePasswordAuthenticationToken', authentication.result.type='UsernamePasswordAuthenticationToken'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@4d4b2b56', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.895141386, duration(nanos)=8.95141386E8, startTimeNanos=91696094477504}']
START - name='spring.security.authorizations', contextualName='null', error='null', lowCardinalityKeyValues=[object.type='Servlet3SecurityContextHolderAwareRequestWrapper'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@6d834cc7', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=3.0965E-4, duration(nanos)=309650.0, startTimeNanos=91697034893983}']
... skipped for brevity ...
STOP - name='spring.security.authorizations', contextualName='null', error='null', lowCardinalityKeyValues=[authorization.decision='true', object.type='Servlet3SecurityContextHolderAwareRequestWrapper'], highCardinalityKeyValues=[authentication.authorities='[app]', authorization.decision.details='AuthorizationDecision [granted=true]'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@6d834cc7', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.02084809, duration(nanos)=2.084809E7, startTimeNanos=91697034893983}']
START - name='spring.security.http.secured.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@649c5ec3', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=2.67878E-4, duration(nanos)=267878.0, startTimeNanos=91697059819304}']
... skipped for brevity ...
STOP - name='spring.security.http.secured.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@649c5ec3', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.090753322, duration(nanos)=9.0753322E7, startTimeNanos=91697059819304}']
START - name='spring.security.http.chains', contextualName='spring.security.http.chains.after', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='after'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@47af8207', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=5.31832E-4, duration(nanos)=531832.0, startTimeNanos=91697152857268}']
... skipped for brevity ...
STOP - name='spring.security.http.chains', contextualName='spring.security.http.chains.after', error='null', lowCardinalityKeyValues=[chain.position='17', chain.size='17', current.filter.name='DisableEncodeUrlFilter', filter.section='after'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@47af8207', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.007689382, duration(nanos)=7689382.0, startTimeNanos=91697152857268}']
STOP - name='http.server.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@687e16d1', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=1.245858319, duration(nanos)=1.245858319E9, startTimeNanos=91695917264958}']手動組態
對於非 Spring Boot 應用程式,或要覆寫現有的 Boot 組態,您可以發布自己的 ObservationRegistry,而 Spring Security 仍然會選取它。
-
Java
-
Kotlin
-
Xml
@SpringBootApplication
public class MyApplication {
@Bean
public UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
ObservationRegistry<ObservationRegistry> observationRegistry() {
ObservationRegistry registry = ObservationRegistry.create();
registry.observationConfig().observationHandler(new ObservationTextPublisher());
return registry;
}
public static void main(String[] args) {
SpringApplication.run(ListenerSamplesApplication.class, args);
}
}@SpringBootApplication
class MyApplication {
@Bean
fun userDetailsService(): UserDetailsService {
InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
fun observationRegistry(): ObservationRegistry<ObservationRegistry> {
ObservationRegistry registry = ObservationRegistry.create()
registry.observationConfig().observationHandler(ObservationTextPublisher())
return registry
}
fun main(args: Array<String>) {
runApplication<MyApplication>(*args)
}
}<sec:http auto-config="true" observation-registry-ref="ref">
<sec:intercept-url pattern="/**" access="authenticated"/>
</sec:http>
<!-- define and configure ObservationRegistry bean -->停用可觀察性
如果您不想要任何 Spring Security 的觀察,在 Spring Boot 應用程式中,您可以發布一個 ObservationRegistry.NOOP @Bean。但是,這可能會關閉不只是 Spring Security 的觀察。
相反地,您可以使用 ObservationPredicate 來更改提供的 ObservationRegistry,如下所示
-
Java
-
Kotlin
@Bean
ObservationRegistryCustomizer<ObservationRegistry> noSpringSecurityObservations() {
ObservationPredicate predicate = (name, context) -> !name.startsWith("spring.security.");
return (registry) -> registry.observationConfig().observationPredicate(predicate);
}@Bean
fun noSpringSecurityObservations(): ObservationRegistryCustomizer<ObservationRegistry> {
ObservationPredicate predicate = (name: String, context: Observation.Context) -> !name.startsWith("spring.security.")
(registry: ObservationRegistry) -> registry.observationConfig().observationPredicate(predicate)
}XML 支援沒有用於停用觀察的功能。相反地,只需不要設定 observation-registry-ref 屬性即可。 |
追蹤列表
Spring Security 在每個請求上追蹤以下 span
-
spring.security.http.requests- 包裹整個篩選器鏈的 span,包括請求 -
spring.security.http.chains.before- 包裹安全性篩選器接收部分的 span -
spring.security.http.chains.after- 包裹安全性篩選器返回部分的 span -
spring.security.http.secured.requests- 包裹現在受保護的應用程式請求的 span -
spring.security.http.unsecured.requests- 包裹 Spring Security 未保護的請求的 span -
spring.security.authentications- 包裹驗證嘗試的 span -
spring.security.authorizations- 包裹授權嘗試的 span
spring.security.http.chains.before + spring.security.http.secured.requests + spring.security.http.chains.after = spring.security.http.requests spring.security.http.chains.before + spring.security.http.chains.after = Spring Security 的請求部分 |
