How to log security access audits

Question

I have the following spring security configuration:

 <security:http>
   ......
     <security:intercept-url pattern="/auth/**"  access="ROLE_ADMIN"/>
   ......... 
</security:http>

I would like to log every case when "ROLE_ADMIN" user hits any of "/auth/**" URL pattern.

Can I put some kind of interceptor on this pattern?

Answer 1

I had to do the same thing. Use an @Aspect which fires for every execution of a handler method in your /auth/ controller. Annotate the class as a @Component so its a Spring bean, add the AspectJ @Aspect annotation, and you can then inspect the JoinPoint for whatever the user is doing - method signature, objects, etc. Write whatever you find to an audit table.

See http://static.springsource.org/spring/docs/current/reference/aop.html for full details. I would think a @Before or @After would work for your purposes.