SPI for performed authorization checks

[knutwannheden]

Description

It would be nice if Quarkus had some kind of callback mechanism which would allow registering a listener which would be notified when an authorization check either failed or succeeded. An application could use this to implement a custom security logging mechanism.

Currently, this is not so simple, because depending on whether the authorization rules are declared using annotations (@RolesAllowed et al.) or config properties (quarkus.http.auth.*) and depending on whether the outcome of the check was "allow" or "deny", different hooks need to be used, which could possibly also conflict with other uses of those hooks.

Implementation ideas

One idea would be to fire CDI events with the details.

[knutwannheden]

/cc @sberyozkin

[sberyozkin]

@michalvavrik This is an interesting one, I suppose if users have @Observes a security authentication or authorization outcome event, the events can be sent, and then, later, Quarkus can provide a default one, via SPI, in a standalone extension, which will log everything. It will likely become more important quite soon

[michalvavrik]

I'm on board with CDI events based solution. I think it is important we should only do it when user is observing the event, so that there is no additional cost for others

[michalvavrik]

I think this can be first step for security-related logging improvements as people are asking for it from time to time.