Custom Audit Log With Spring and Hibernate
If you need to have automatic auditing of all database operations and you are using Hibernate…you should use Envers. But if for some reasons you can’t use Envers, you can achieve something similar with Hibernate event listeners and spring transaction synchronization.
First, start with the event listener. You should capture all insert, update, and delete operations. But there’s a tricky bit – if you need to flush the session for any reason, you can’t directly execute that logic with the session that is passed to the event listener. In my case I had to fetch some data, and hibernate started throwing exceptions at me (“id is null”). Multiple sources confirmed that you should not interact with the database in the event listeners. So instead, you should store the events for later processing. And you can register the listener as a spring bean as shown here.
@Component
public class AuditLogEventListener
implements PostUpdateEventListener, PostInsertEventListener, PostDeleteEventListener {
@Override
public void onPostDelete(PostDeleteEvent event) {
AuditedEntity audited = event.getEntity().getClass().getAnnotation(AuditedEntity.class);
if (audited != null) {
AuditLogServiceData.getHibernateEvents().add(event);
}
}
@Override
public void onPostInsert(PostInsertEvent event) {
AuditedEntity audited = event.getEntity().getClass().getAnnotation(AuditedEntity.class);
if (audited != null) {
AuditLogServiceData.getHibernateEvents().add(event);
}
}
@Override
public void onPostUpdate(PostUpdateEvent event) {
AuditedEntity audited = event.getEntity().getClass().getAnnotation(AuditedEntity.class);
if (audited != null) {
AuditLogServiceData.getHibernateEvents().add(event);
}
}
@Override
public boolean requiresPostCommitHanding(EntityPersister persister) {
return true; // Envers sets this to true only if the entity is versioned. So figure out for yourself if that's needed
}
}
Notice the AuditedEntity
– it is a custom marker annotation (retention=runtime, target=type) that you can put on top of your entities.
To be honest, I didn’t fully follow how Envers does the persisting, but as I also have spring at my disposal, in my AuditLogServiceData
class I decided to make use of Spring:
/**
* {@link AuditLogServiceStores} stores here audit log information It records all
* changes to the entities in spring transaction synchronizaton resources, which
* are in turn stored as {@link ThreadLocal} variables for each thread. Each thread
* /transaction is using own copy of this data.
*/
public class AuditLogServiceData {
private static final String HIBERNATE_EVENTS = "hibernateEvents";
@SuppressWarnings("unchecked")
public static List<Object> getHibernateEvents() {
if (!TransactionSynchronizationManager.hasResource(HIBERNATE_EVENTS)) {
TransactionSynchronizationManager.bindResource(HIBERNATE_EVENTS, new ArrayList<>());
}
return (List<Object>) TransactionSynchronizationManager.getResource(HIBERNATE_EVENTS);
}
public static Long getActorId() {
return (Long) TransactionSynchronizationManager.getResource(AUDIT_LOG_ACTOR);
}
public static void setActor(Long value) {
if (value != null) {
TransactionSynchronizationManager.bindResource(AUDIT_LOG_ACTOR, value);
}
}
}
In addition to storing the events, we also need to store the user that is performing the action. In order to get that we need to provide a method-parameter-level annotation to designate a parameter. The annotation in my case is called AuditLogActor
(retention=runtime, type=parameter).
Now what’s left is the code that will process the events. We want to do this prior to committing the current transaction. If the transaction fails upon commit, the audit entry insertion will also fail. We do that with a bit of AOP:
@Aspect
@Component
class AuditLogStoringAspect extends TransactionSynchronizationAdapter {
@Autowired
private ApplicationContext ctx;
@Before("execution(* *.*(..)) && @annotation(transactional)")
public void registerTransactionSyncrhonization(JoinPoint jp, Transactional transactional) {
Logger.log(this).debug("Registering audit log tx callback");
TransactionSynchronizationManager.registerSynchronization(this);
MethodSignature signature = (MethodSignature) jp.getSignature();
int paramIdx = 0;
for (Parameter param : signature.getMethod().getParameters()) {
if (param.isAnnotationPresent(AuditLogActor.class)) {
AuditLogServiceData.setActor((Long) jp.getArgs()[paramIdx]);
}
paramIdx ++;
}
}
@Override
public void beforeCommit(boolean readOnly) {
Logger.log(this).debug("tx callback invoked. Readonly= " + readOnly);
if (readOnly) {
return;
}
for (Object event : AuditLogServiceData.getHibernateEvents()) {
// handle events, possibly using instanceof
}
}
In my case I had to inject additional services, and spring complained about mutually dependent beans, so I instead used applicationContext.getBean(FooBean.class)
. Note: make sure your aspect is caught by spring – either by auto-scanning, or by explicitly registering it with xml/java-config.
So, a call that is audited would look like this:
@Transactional
public void saveFoo(FooRequest request, @AuditLogActor Long actorId) { .. }
To summarize: the hibernate event listener stores all insert, update and delete events as spring transaction synchronization resources. An aspect registers a transaction “callback” with spring, which is invoked right before each transaction is committed. There all events are processed and the respective audit log entries are inserted.
This is very basic audit log, it may have issue with collection handling, and it certainly does not cover all use cases. But it is way better than manual audit log handling, and in many systems an audit log is mandatory functionality.