Spring Security
  1. Spring Security
  2. SEC-1940

ProviderManager does not publish AccountStatusException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.2
    • Component/s: Core
    • Labels:
      None

      Description

      When using a simple configuration, an authentication provider throwing a LockedException doesn't cause an AuthenticationFailureLockedEvent to be published. The writeup's in the Spring forum reference. I can't be sure this is a bug, but it seems too weird to be expected behavior.

        Issue Links

          Activity

          Hide
          Rob Winch added a comment -

          Providing an example configuration would like speed up the ability to fix this.

          Show
          Rob Winch added a comment - Providing an example configuration would like speed up the ability to fix this.
          Hide
          David Kerwick added a comment -

          Hi I've also come across the same issue

          I have a listener class like below

          @Component
          public class AuthenticationLockedListener implements ApplicationListener<AuthenticationFailureLockedEvent> {
          
              @Override
              public void onApplicationEvent(AuthenticationFailureLockedEvent event) {
                  logger.debug("In the onApplicationEvent");
              }
          }
          

          In my userDetailsService I throw a

          throw new LockedException("User account suspended");
          

          The above listener used to pick up this exception now it never gets fired.

          The event

          AuthenticationFailureServiceExceptionEvent
          

          Seems to fire, but I think that's an overall something went wrong exception?

          I'm using a http element in the security config like below

          <http  pattern="/login" security="none"/>
          
          <http auto-config="true" use-expressions="true">     		
              <form-login login-page="/login" authentication-failure-url="/login?login_error=1" 
              login-processing-url="/j_spring_security_check"/>
          </http>
          

          Thanks
          David

          Show
          David Kerwick added a comment - Hi I've also come across the same issue I have a listener class like below @Component public class AuthenticationLockedListener implements ApplicationListener<AuthenticationFailureLockedEvent> { @Override public void onApplicationEvent(AuthenticationFailureLockedEvent event) { logger.debug( "In the onApplicationEvent" ); } } In my userDetailsService I throw a throw new LockedException( "User account suspended" ); The above listener used to pick up this exception now it never gets fired. The event AuthenticationFailureServiceExceptionEvent Seems to fire, but I think that's an overall something went wrong exception? I'm using a http element in the security config like below <http pattern= "/login" security= "none" /> <http auto-config= " true " use-expressions= " true " > <form-login login-page= "/login" authentication-failure-url= "/login?login_error=1" login-processing-url= "/j_spring_security_check" /> </http> Thanks David
          Hide
          Akil Mahimwala added a comment -

          I have a very similar issue.

          The AuthenticationFailureBadCredentialsEvent gets fired as expected.
          The AuthenticationSuccessEvent is also fired as expected

          but
          AuthenticationFailureLockedEvent is not getting fired

          Thanks Akil

          Show
          Akil Mahimwala added a comment - I have a very similar issue. The AuthenticationFailureBadCredentialsEvent gets fired as expected. The AuthenticationSuccessEvent is also fired as expected but AuthenticationFailureLockedEvent is not getting fired Thanks Akil
          Hide
          Rob Worsnop added a comment - - edited

          This was introduced by the fix for SEC-546. When a LockedException (or any other AccountStatusException) is thrown, ProviderManager will immediately rethrow the exception without trying other providers. It also skips the event publishing, which is what causes this bug.

          I submitted a fix:
          https://github.com/SpringSource/spring-security/pull/10

          Show
          Rob Worsnop added a comment - - edited This was introduced by the fix for SEC-546 . When a LockedException (or any other AccountStatusException) is thrown, ProviderManager will immediately rethrow the exception without trying other providers. It also skips the event publishing, which is what causes this bug. I submitted a fix: https://github.com/SpringSource/spring-security/pull/10

            People

            • Assignee:
              Rob Winch
              Reporter:
              Emerson Farrugia
            • Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 0.25d
                0.25d
                Remaining:
                Remaining Estimate - 0.25d
                0.25d
                Logged:
                Time Spent - Not Specified
                Not Specified