Activating Authorization Success Event Publish Feature


Spring Security publishes various authentication and authorization events during performing its security checks. Spring managed beans which implement ApplicationListener interface or beans with methods annotated with @EventListener can consume those events within the application. One of those security related events is AuthorizedEvent which indicates that user request is allowed to access secure web resource. It is, however, disabled by default.

In this post, I will try to explain to you how to activate publishing AuthorizedEvents whenever successful authorization occurs within your system. Authorization events are published by FilterSecurityInterceptor bean which is configured by Spring Security element by default. It has a property setter, namely setPublishSuccessAuthorization(..) through which publishing authorization success events are activated. Unfortunately, Spring Security provides no way to pass value to this property within element. There are, however, several ways to change this property value into true and let Spring Security to publish events after successful authorization operation.

One way is not to employ element and configure whose Spring Security filter chain and to configure it and FilterSecurityInterceptor bean via explicit bean definitions. However, that way we lose advantages of configuring Spring Security Filter Chain via security namespace elements.

The other way is a lot easier. It also exploits Spring’s event mechanism itself. Here we keep regular Spring Security namespace configuration, and only we need to create a bean which handles Spring’s ContextRefreshedEvent. When Spring ApplicationContext is ready to use, ContextRefreshedevent is fired, and we can perform a bean lookup for FilterSecurityInterceptor bean which is implicitly defined via element. When we obtain that bean it is only required to invoke setPublishSuccessAuthorization(..) to enable authorization success events. That’s all!

public class SecurityConfigurer {

	private ApplicationContext applicationContext;

	public void handle(ContextRefreshedEvent event) {
		FilterSecurityInterceptor fsi = applicationContext

	public void handle(AuthorizedEvent event) {