Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Make Security Observations Selectable #15678

Closed
jzheaux opened this issue Aug 22, 2024 · 0 comments
Closed

Make Security Observations Selectable #15678

jzheaux opened this issue Aug 22, 2024 · 0 comments
Assignees
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Aug 22, 2024

To configure which observations Security should make, it's needed to provide an ObservationPredicate. For example, in a boot application you can disable all security observations like so:

@Bean
ObservationRegistryCustomizer<ObservationRegistry> noSpringSecurityObservations() {
	ObservationPredicate predicate = (name, context) -> !name.startsWith("spring.security.");
	return (registry) -> registry.observationConfig().observationPredicate(predicate);
}

This may feel counter-intuitive and there is thus a temptation to do (name, context) -> name.startsWith("spring.security.*") which instead would turn off all observations application-wide, except for the Spring Security observations.

Also, an application could reasonably want to turn off the filter chain observations while leaving the authentication and authorization observations intact, and it is cumbersome to require an application to formulate the appropriate logic to honor the various observation names.

One way to simplify this would be to publish a defaults object:

public final class ObservabilityDefaults {
    public boolean observeRequests();

    public static ObservabilityDefaults.Builder withDefaults();

    public static ObservabilityDefaults noObservations();

    // ... etc
}

HttpSecurity and @EnableMethodSecurity could optionally depend on this bean and apply the correct ObservationWebFilterDecorator, ObservationAuthenticationManager, and ObservationAuthorizationManager instances accordingly.

The nice thing about this approach is that Spring Security could avoid wrapping the filter chain, authentications, and authorizations in more situations, improving runtime performance.

Finally, this allows us to better articulate a change to the defaults in future major versions of Spring Security, for example by leaving a subset of the observations off by default, something that has been requested in spring-projects/spring-boot#34133

@jzheaux jzheaux added type: enhancement A general enhancement in: core An issue in spring-security-core labels Aug 22, 2024
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 23, 2024
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 23, 2024
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 23, 2024
@jzheaux jzheaux added this to the 6.4.0-RC1 milestone Sep 26, 2024
@jzheaux jzheaux self-assigned this Sep 26, 2024
jzheaux added a commit that referenced this issue Dec 9, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
Archived in project
Development

No branches or pull requests

1 participant