可觀測性
Spring Security 開箱即用地與 Spring Observability 整合以進行追蹤;同時,配置度量收集也相當簡單。
追蹤
當存在 ObservationRegistry bean 時,Spring Security 會為以下內容建立追蹤:
-
過濾器鏈
-
AuthenticationManager,以及 -
AuthorizationManager
Boot 整合
例如,考慮一個簡單的 Boot 應用程式
-
Java
-
Kotlin
@SpringBootApplication
public class MyApplication {
@Bean
public UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
ObservationRegistryCustomizer<ObservationRegistry> addTextHandler() {
return (registry) -> registry.observationConfig().observationHandler(new ObservationTextPublisher());
}
public static void main(String[] args) {
SpringApplication.run(ListenerSamplesApplication.class, args);
}
}@SpringBootApplication
class MyApplication {
@Bean
fun userDetailsService(): UserDetailsService {
InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
fun addTextHandler(): ObservationRegistryCustomizer<ObservationRegistry> {
return registry: ObservationRegistry -> registry.observationConfig()
.observationHandler(ObservationTextPublisher());
}
fun main(args: Array<String>) {
runApplication<MyApplication>(*args)
}
}以及相應的請求
?> http -a user:password :8080將產生以下輸出(為清晰起見添加了縮排)
START - name='http.server.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@687e16d1', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.001779024, duration(nanos)=1779024.0, startTimeNanos=91695917264958}']
START - name='spring.security.http.chains', contextualName='spring.security.http.chains.before', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='before'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@79f554a5', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=7.42147E-4, duration(nanos)=742147.0, startTimeNanos=91695947182029}']
... skipped for brevity ...
STOP - name='spring.security.http.chains', contextualName='spring.security.http.chains.before', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='before'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@79f554a5', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.014771848, duration(nanos)=1.4771848E7, startTimeNanos=91695947182029}']
START - name='spring.security.authentications', contextualName='null', error='null', lowCardinalityKeyValues=[authentication.failure.type='Optional', authentication.method='ProviderManager', authentication.request.type='UsernamePasswordAuthenticationToken'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@4d4b2b56', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=7.09759E-4, duration(nanos)=709759.0, startTimeNanos=91696094477504}']
... skipped for brevity ...
STOP - name='spring.security.authentications', contextualName='null', error='null', lowCardinalityKeyValues=[authentication.failure.type='Optional', authentication.method='ProviderManager', authentication.request.type='UsernamePasswordAuthenticationToken', authentication.result.type='UsernamePasswordAuthenticationToken'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@4d4b2b56', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.895141386, duration(nanos)=8.95141386E8, startTimeNanos=91696094477504}']
START - name='spring.security.authorizations', contextualName='null', error='null', lowCardinalityKeyValues=[object.type='Servlet3SecurityContextHolderAwareRequestWrapper'], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@6d834cc7', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=3.0965E-4, duration(nanos)=309650.0, startTimeNanos=91697034893983}']
... skipped for brevity ...
STOP - name='spring.security.authorizations', contextualName='null', error='null', lowCardinalityKeyValues=[authorization.decision='true', object.type='Servlet3SecurityContextHolderAwareRequestWrapper'], highCardinalityKeyValues=[authentication.authorities='[app]', authorization.decision.details='AuthorizationDecision [granted=true]'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@6d834cc7', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.02084809, duration(nanos)=2.084809E7, startTimeNanos=91697034893983}']
START - name='spring.security.http.secured.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@649c5ec3', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=2.67878E-4, duration(nanos)=267878.0, startTimeNanos=91697059819304}']
... skipped for brevity ...
STOP - name='spring.security.http.secured.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@649c5ec3', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.090753322, duration(nanos)=9.0753322E7, startTimeNanos=91697059819304}']
START - name='spring.security.http.chains', contextualName='spring.security.http.chains.after', error='null', lowCardinalityKeyValues=[chain.position='0', chain.size='17', filter.section='after'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@47af8207', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=5.31832E-4, duration(nanos)=531832.0, startTimeNanos=91697152857268}']
... skipped for brevity ...
STOP - name='spring.security.http.chains', contextualName='spring.security.http.chains.after', error='null', lowCardinalityKeyValues=[chain.position='17', chain.size='17', current.filter.name='DisableEncodeUrlFilter', filter.section='after'], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@47af8207', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.007689382, duration(nanos)=7689382.0, startTimeNanos=91697152857268}']
STOP - name='http.server.requests', contextualName='null', error='null', lowCardinalityKeyValues=[], highCardinalityKeyValues=[request.line='GET /'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@687e16d1', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=1.245858319, duration(nanos)=1.245858319E9, startTimeNanos=91695917264958}']手動配置
對於非 Spring Boot 應用程式,或者要覆蓋現有的 Boot 配置,您可以釋出自己的 ObservationRegistry,Spring Security 仍會將其拾取。
-
Java
-
Kotlin
-
Xml
@SpringBootApplication
public class MyApplication {
@Bean
public UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
ObservationRegistry observationRegistry() {
ObservationRegistry registry = ObservationRegistry.create();
registry.observationConfig().observationHandler(new ObservationTextPublisher());
return registry;
}
public static void main(String[] args) {
SpringApplication.run(ListenerSamplesApplication.class, args);
}
}@SpringBootApplication
class MyApplication {
@Bean
fun userDetailsService(): UserDetailsService {
InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("app")
.build()
);
}
@Bean
fun observationRegistry(): ObservationRegistry {
ObservationRegistry registry = ObservationRegistry.create()
registry.observationConfig().observationHandler(ObservationTextPublisher())
return registry
}
fun main(args: Array<String>) {
runApplication<MyApplication>(*args)
}
}<sec:http auto-config="true" observation-registry-ref="ref">
<sec:intercept-url pattern="/**" access="authenticated"/>
</sec:http>
<!-- define and configure ObservationRegistry bean -->停用可觀測性
如果您不希望有任何 Spring Security 觀測,在 Spring Boot 應用程式中,您可以釋出一個 ObservationRegistry.NOOP @Bean。然而,這可能會停用不僅僅是 Spring Security 的觀測。
相反,您可以釋出一個如下所示的 SecurityObservationSettings
-
Java
-
Kotlin
@Bean
SecurityObservationSettings noSpringSecurityObservations() {
return SecurityObservationSettings.noObservations();
}@Bean
fun noSpringSecurityObservations(): SecurityObservationSettings {
return SecurityObservationSettings.noObservations()
}然後 Spring Security 將不會將任何過濾器鏈、認證或授權包裝到其 ObservationXXX 對應項中。
XML 支援沒有停用觀測的功能。相反,只需不設定 observation-registry-ref 屬性。 |
您還可以僅停用部分 Security 觀測。例如,SecurityObservationSettings bean 預設排除過濾器鏈觀測。因此,您也可以這樣做:
-
Java
-
Kotlin
@Bean
SecurityObservationSettings defaultSpringSecurityObservations() {
return SecurityObservationSettings.withDefaults().build();
}@Bean
fun defaultSpringSecurityObservations(): SecurityObservationSettings {
return SecurityObservationSettings.withDefaults().build()
}或者您可以根據預設設定單獨開啟和關閉觀測
-
Java
-
Kotlin
@Bean
SecurityObservationSettings allSpringSecurityObservations() {
return SecurityObservationSettings.withDefaults()
.shouldObserveFilterChains(true).build();
}@Bean
fun allSpringSecurityObservations(): SecurityObservationSettings {
return SecurityObservationSettings.builder()
.shouldObserveFilterChains(true).build()
}|
為了向後相容,除非釋出 |
追蹤列表
Spring Security 在每個請求上跟蹤以下 span:
-
spring.security.http.requests- 一個包裝整個過濾器鏈(包括請求)的 span -
spring.security.http.chains.before- 一個包裝安全過濾器接收部分的 span -
spring.security.http.chains.after- 一個包裝安全過濾器返回部分的 span -
spring.security.http.secured.requests- 一個包裝現在已受保護的應用程式請求的 span -
spring.security.http.unsecured.requests- 一個包裝 Spring Security 未受保護請求的 span -
spring.security.authentications- 一個包裝認證嘗試的 span -
spring.security.authorizations- 一個包裝授權嘗試的 span
spring.security.http.chains.before + spring.security.http.secured.requests + spring.security.http.chains.after = spring.security.http.requestsspring.security.http.chains.before + spring.security.http.chains.after = Spring Security 的請求部分 |
