Spring Security
  1. Spring Security
  2. SEC-1569

AuthenticationSuccessEvent is published twice when ProviderManager has a parent ProviderManager

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 3.0.3
    • Fix Version/s: 3.1.0.M2
    • Component/s: Core
    • Labels:
      None

      Description

      I've configured spring security using the namespace. In particular, I have the following configs:

      <sec:http>
      ...
      <sec:anonymous enabled="true"/>
      ...
      </sec:http>

      <sec:authentication-manager erase-credentials="true">
      <sec:authentication-provider ref="myAuthProvider"/>
      </sec:authentication-manager>

      This results in a ProviderManager that has the AnonymousAuthenticationProvider and a parent ProviderManager which has MyAuthProvider. During a valid authentication attempt by a user, the AnonymousAuthenticationProvider is skipped and the parent ProviderManager is invoked (line 148 in ProviderManager). This one successfully authenticates the user and publishes an AuthenticationSuccessEvent. The problem is that when this parent ProviderManager returns, the first ProviderManager publishes the success event again (lines 157-165).

        Activity

        Hide
        Luke Taylor added a comment -

        Are you sure you aren't seeing both the event from the filter and the one from the ProviderManager. Could you provide some log output or other information to illustrate the problem please?

        Show
        Luke Taylor added a comment - Are you sure you aren't seeing both the event from the filter and the one from the ProviderManager. Could you provide some log output or other information to illustrate the problem please?
        Hide
        Nikita D added a comment -

        DEBUG log output.

        Show
        Nikita D added a comment - DEBUG log output.
        Hide
        Nikita D added a comment -

        Hi Luke, you are right, the eventPublisher of the parent ProviderManager is actually a NullEventPublisher. The second success event is coming from UsernamePasswordAuthenticationFilter which publishes an InteractiveAuthenticationSuccessEvent (as opposed to the AuthenticationSuccessEvent published by the ProviderManager). I've attached the DEBUG log for reference. I'm guessing the two events are intentional and I can just ignore one in my listener based on the even class? Thank you for the help, sorry for logging this too hastily.
        Nikita

        Show
        Nikita D added a comment - Hi Luke, you are right, the eventPublisher of the parent ProviderManager is actually a NullEventPublisher. The second success event is coming from UsernamePasswordAuthenticationFilter which publishes an InteractiveAuthenticationSuccessEvent (as opposed to the AuthenticationSuccessEvent published by the ProviderManager). I've attached the DEBUG log for reference. I'm guessing the two events are intentional and I can just ignore one in my listener based on the even class? Thank you for the help, sorry for logging this too hastily. Nikita
        Hide
        Luke Taylor added a comment -

        No problem.

        Show
        Luke Taylor added a comment - No problem.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Nikita D
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: