Custom Audit Log With Spring And Hibernate
If you need to have automatic auditing of all database operations and you are using Hibernate…you should use Envers or spring data jpa auditing. But if for some reasons you can’t use Envers, you can achieve something similar with hibernate event listeners and spring transaction synchronization.
First, start with the event listener. You should capture all insert, update and delete operations. But there’s a tricky bit – if you need to flush the session for any reason, you can’t directly execute that logic with the session that is passed to the event listener. In my case I had to fetch some data, and hibernate started throwing exceptions at me (“id is null”). Multiple sources confirmed that you should not interact with the database in the event listeners. So instead, you should store the events for later processing. And you can register the listener as a spring bean as shown here.
@Component public class AuditLogEventListener implements PostUpdateEventListener, PostInsertEventListener, PostDeleteEventListener { @Override public void onPostDelete(PostDeleteEvent event) { AuditedEntity audited = event.getEntity().getClass().getAnnotation(AuditedEntity.class); if (audited != null) { AuditLogServiceData.getHibernateEvents().add(event); } } @Override public void onPostInsert(PostInsertEvent event) { AuditedEntity audited = event.getEntity().getClass().getAnnotation(AuditedEntity.class); if (audited != null) { AuditLogServiceData.getHibernateEvents().add(event); } } @Override public void onPostUpdate(PostUpdateEvent event) { AuditedEntity audited = event.getEntity().getClass().getAnnotation(AuditedEntity.class); if (audited != null) { AuditLogServiceData.getHibernateEvents().add(event); } } @Override public boolean requiresPostCommitHanding(EntityPersister persister) { return true; // Envers sets this to true only if the entity is versioned. So figure out for yourself if that's needed } }
Notice the AuditedEntity
– it is a custom marker annotation (retention=runtime, target=type) that you can put ontop of your entities.
To be honest, I didn’t fully follow how Envers does the persisting, but as I also have spring at my disposal, in my AuditLogServiceData
class I decided to make use of spring:
/** * {@link AuditLogServiceStores} stores here audit log information It records all * changes to the entities in spring transaction synchronizaton resources, which * are in turn stored as {@link ThreadLocal} variables for each thread. Each thread * /transaction is using own copy of this data. */ public class AuditLogServiceData { private static final String HIBERNATE_EVENTS = "hibernateEvents"; @SuppressWarnings("unchecked") public static List<Object> getHibernateEvents() { if (!TransactionSynchronizationManager.hasResource(HIBERNATE_EVENTS)) { TransactionSynchronizationManager.bindResource(HIBERNATE_EVENTS, new ArrayList<>()); } return (List<Object>) TransactionSynchronizationManager.getResource(HIBERNATE_EVENTS); } public static Long getActorId() { return (Long) TransactionSynchronizationManager.getResource(AUDIT_LOG_ACTOR); } public static void setActor(Long value) { if (value != null) { TransactionSynchronizationManager.bindResource(AUDIT_LOG_ACTOR, value); } } }
In addition to storing the events, we also need to store the user that is performing the action. In order to get that we need to provide a method-parameter-level annotation to designate a parameter. The annotation in my case is called AuditLogActor
(retention=runtime, type=parameter).
Now what’s left is the code that will process the events. We want to do this prior to committing the current transaction. If the transaction fails upon commit, the audit entry insertion will also fail. We do that with a bit of AOP:
@Aspect @Component class AuditLogStoringAspect extends TransactionSynchronizationAdapter { @Autowired private ApplicationContext ctx; @Before("execution(* *.*(..)) && @annotation(transactional)") public void registerTransactionSyncrhonization(JoinPoint jp, Transactional transactional) { Logger.log(this).debug("Registering audit log tx callback"); TransactionSynchronizationManager.registerSynchronization(this); MethodSignature signature = (MethodSignature) jp.getSignature(); int paramIdx = 0; for (Parameter param : signature.getMethod().getParameters()) { if (param.isAnnotationPresent(AuditLogActor.class)) { AuditLogServiceData.setActor((Long) jp.getArgs()[paramIdx]); } paramIdx ++; } } @Override public void beforeCommit(boolean readOnly) { Logger.log(this).debug("tx callback invoked. Readonly= " + readOnly); if (readOnly) { return; } for (Object event : AuditLogServiceData.getHibernateEvents()) { // handle events, possibly using instanceof } }
In my case I had to inject additional services, and spring complained about mutually dependent beans, so I instead used applicationContext.getBean(FooBean.class)
. Note: make sure your aspect is caught by spring – either by auto-scanning, or by explicitly registering it with xml/java-config.
So, a call that is audited would look like this:
@Transactional public void saveFoo(FooRequest request, @AuditLogActor Long actorId) { .. }
To summarize: the hibernate event listener stores all insert, update and delete events as spring transaction synchronization resources. An aspect registers a transaction “callback” with spring, which is invoked right before each transaction is committed. There all events are processed and the respective audit log entries are inserted.
This is very basic audit log, it may have issue with collection handling, and it certainly does not cover all use cases. But it is way better than manual audit log handling, and in many systems an audit log is mandatory functionality.
Reference: | Custom Audit Log With Spring And Hibernate from our JCG partner Bozhidar Bozhanov at the Bozho’s tech blog blog. |