GhostProgrammer - Jeff Miller

Team to Create Outside the Box

Spring Events

Tracking User Lifecycle: Capturing Login, Failed Login, and Signup Events in Spring Authorization Server

ByJeffery Miller

May 13, 2025

Understanding how users interact with your Spring Authorization Server is crucial for security, auditing, and gaining insights into user behavior. By capturing key lifecycle events like successful logins, failed login attempts, and new user signups, you can build a robust monitoring system. This post will guide you through the process of implementing this event tracking.

Core Principle: Leveraging Spring Security’s Event Mechanism

Spring Security thoughtfully publishes various application events during the authentication process. We can tap into this mechanism by creating event listeners that react to specific events, allowing us to record and process the information we need.

1. Capturing Successful Login Events:

When a user successfully authenticates, Spring Security fires an AuthenticationSuccessEvent. We can create an ApplicationListener to capture this event.

Java

import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;

import java.time.LocalDateTime;

@Component
public class LoginSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> {

    private final YourAuditEventRepository auditEventRepository; // Assuming you have a repository

    public LoginSuccessListener(YourAuditEventRepository auditEventRepository) {
        this.auditEventRepository = auditEventRepository;
    }

    @Override
    public void onApplicationEvent(AuthenticationSuccessEvent event) {
        Authentication authentication = event.getAuthentication();
        String username = authentication.getName(); // Retrieve the authenticated username

        AuditEvent loginEvent = new AuditEvent();
        loginEvent.setEventType("LOGIN_SUCCESS");
        loginEvent.setUsername(username);
        loginEvent.setTimestamp(LocalDateTime.now());
        // Consider capturing additional details like IP address if available in the request context

        auditEventRepository.save(loginEvent);
        System.out.println("Successful login by: " + username + " at " + LocalDateTime.now()); // Replace with your logging
    }
}

Breakdown:

  • We implement ApplicationListener<AuthenticationSuccessEvent> to specifically listen for successful authentication events.
  • The onApplicationEvent method is automatically invoked when an AuthenticationSuccessEvent occurs.
  • We extract the Authentication object from the event to access the authenticated principal’s name (the username).
  • An AuditEvent entity (which you’ll need to define) is created to store the event details.
  • The AuditEvent is saved to your audit log repository.
  • A System.out.println is used for demonstration; in a real-world scenario, integrate with a proper logging framework.

2. Capturing Failed Login Attempts:

When authentication fails due to incorrect credentials, Spring Security publishes an AuthenticationFailureBadCredentialsEvent. We can create another ApplicationListener to handle these events.

Java

import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Component;

import java.time.LocalDateTime;

@Component
public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {

    private final YourAuditEventRepository auditEventRepository;

    public AuthenticationFailureListener(YourAuditEventRepository auditEventRepository) {
        this.auditEventRepository = auditEventRepository;
    }

    @Override
    public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
        String username = (String) event.getAuthentication().getPrincipal(); // Get the attempted username

        AuditEvent failedLoginEvent = new AuditEvent();
        failedLoginEvent.setEventType("LOGIN_FAILURE");
        failedLoginEvent.setUsername(username);
        failedLoginEvent.setTimestamp(LocalDateTime.now());
        // Optionally, you can capture the exception message: event.getException().getMessage()

        auditEventRepository.save(failedLoginEvent);
        System.out.println("Failed login attempt for user: " + username + " at " + LocalDateTime.now()); // Replace with your logging
    }
}

Explanation:

  • We implement ApplicationListener<AuthenticationFailureBadCredentialsEvent>.
  • In the onApplicationEvent method, we retrieve the attempted username from event.getAuthentication().getPrincipal().
  • An AuditEvent with the LOGIN_FAILURE event type is created.
  • The details of the failed login attempt are saved.

3. Capturing Signup Events:

User signup is typically a custom process you implement within your Spring Authorization Server. To capture these events, you’ll need to explicitly trigger the audit event logging within your signup controller or service logic.

Java

import org.springframework.stereotype.Service;

import java.time.LocalDateTime;

@Service
public class UserService {

    private final YourUserRepository userRepository;
    private final YourAuditEventRepository auditEventRepository;

    public UserService(YourUserRepository userRepository, YourAuditEventRepository auditEventRepository) {
        this.userRepository = userRepository;
        this.auditEventRepository = auditEventRepository;
    }

    public void registerNewUser(UserRegistrationDTO registrationDTO) {
        // 1. Validate the registration details
        // ...

        // 2. Create and save the new user
        User newUser = new User();
        newUser.setUsername(registrationDTO.getUsername());
        // ... set other user properties ...
        userRepository.save(newUser);

        // 3. Log the signup event
        AuditEvent signupEvent = new AuditEvent();
        signupEvent.setEventType("SIGNUP_SUCCESS");
        signupEvent.setUsername(newUser.getUsername());
        signupEvent.setTimestamp(LocalDateTime.now());
        auditEventRepository.save(signupEvent);

        System.out.println("New user signed up: " + newUser.getUsername() + " at " + LocalDateTime.now()); // Replace with your logging

        // 4. Potentially send a welcome email or perform other post-signup actions
        // ...
    }
}

How it Works:

  • Within your signup processing logic (e.g., in a UserService), after a new user is successfully created and persisted, you create an AuditEvent with the SIGNUP_SUCCESS event type.
  • The new user’s username and the current timestamp are recorded.
  • The AuditEvent is saved to your audit log.

Database Considerations:

You’ll need a database table to persist these audit events. A sample AuditEvent entity might look like this:

Java

import jakarta.persistence.*;
import java.time.LocalDateTime;

@Entity
@Table(name = "audit_events")
public class AuditEvent {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    @Column(nullable = false)
    private String eventType;

    private String username;

    @Column(nullable = false)
    private LocalDateTime timestamp;

    // Getters and setters
    // ...
}

And you’ll need a corresponding JPA repository (YourAuditEventRepository) to interact with this table.

Key Takeaways and Best Practices:

  • Error Handling: Implement robust error handling in your event listeners to prevent exceptions from disrupting the authentication flow.
  • Asynchronous Logging: For high-traffic environments, consider using asynchronous event listeners (@Async) to avoid blocking request processing while writing to the audit log.
  • Security of Logs: Ensure your audit logs are stored securely and access is restricted.
  • Contextual Information: Enhance your audit logs by capturing additional relevant information like IP addresses, user agents, or client details. You might need to access the HttpServletRequest for this.
  • Proper Logging: Integrate with a mature logging framework (like Logback or Log4j2) for better log management and configuration.
  • Customization: Tailor the AuditEvent entity and the captured information to meet your specific auditing and monitoring requirements.

By implementing these strategies, you can effectively track crucial user lifecycle events in your Spring Authorization Server, providing valuable insights for security monitoring, compliance, and understanding user engagement. Remember to adapt the code and the information you capture to align with your application’s specific needs.

Discover more from GhostProgrammer - Jeff Miller

Subscribe to get the latest posts sent to your email.

By Jeffery Miller

I am known for being able to quickly decipher difficult problems to assist development teams in producing a solution. I have been called upon to be the Team Lead for multiple large-scale projects. I have a keen interest in learning new technologies, always ready for a new challenge.

Related Post

Spring Events

Streamlining User Events: Integrating AWS Cognito with Kafka

May 12, 2025 Jeffery Miller
Spring Events

Spring into Action with Spring Events: A Comprehensive Guide

Jan 29, 2025 Jeffery Miller

You missed

Spring Events

Tracking User Lifecycle: Capturing Login, Failed Login, and Signup Events in Spring Authorization Server

May 13, 2025 Jeffery Miller
Spring Discovery

Simplifying Microservices Communication with the Java Spring Discovery Client

May 12, 2025 Jeffery Miller
Java HTTP

HTTP Server ContextHandler in a Jar

May 12, 2025 Jeffery Miller
Spring Solutions

Streamlining Key Generation in Spring: A Service-Based Approach

May 12, 2025 Jeffery Miller