Subclasses of AbstractAuthenticationEvent are not fired anymore

[michael-simons]

Given the following application

import java.security.Principal;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.ApplicationListener;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@Configuration
@RestController
public class AuthlistenerApplication {

    @GetMapping("/")
    public String hello(final Principal principal) {
        return "Hello, " + principal.getName() + ".";
    }

    @Bean
    public ApplicationListener<AuthenticationSuccessEvent> onSuccessListener() {
        return (AuthenticationSuccessEvent event) -> {
            System.out.println("Yeah!");
        };
    }

    @Bean
    public ApplicationListener<AuthenticationFailureBadCredentialsEvent> onBadCredentialsListener() {
        return (AuthenticationFailureBadCredentialsEvent event) -> {
            System.out.println("Oh no...");
        };
    }

    public static void main(String[] args) {
        SpringApplication.run(AuthlistenerApplication.class, args);
    }
}

Running this on Spring Boot 1.5.9.RELEASE triggers either AuthenticationSuccessEvent or an AuthenticationFailureBadCredentialsEvent event, depending if one uses the correct password.

Neither of those events are triggered on 2.0.0.BUILD-SNAPSHOT and probably not on the Milestone as well. Here's a test to confirm this:

import java.util.Base64;
import org.junit.Rule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.rule.OutputCapture;
import org.springframework.boot.test.web.client.TestRestTemplate;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.context.junit4.SpringRunner;

import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertThat;
import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;

@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = RANDOM_PORT)
@TestPropertySource(properties = {
    "security.user.name = testuser",
    "security.user.password = testpassword",
    "spring.security.user.name = testuser",
    "spring.security.user.password = testpassword",})
public class AuthlistenerApplicationTests {

    @Rule
    public OutputCapture output = new OutputCapture();

    @Autowired
    TestRestTemplate restTemplate;

    @Test
    public void logsSuccess() throws Exception {
        final HttpHeaders headers = new HttpHeaders();
        headers.add("Authorization", "Basic " + Base64.getEncoder().encodeToString("testuser:testpassword".getBytes()));
        headers.add("Accept", MediaType.APPLICATION_JSON_VALUE);

        final ResponseEntity<String> r = restTemplate
                .exchange("/", HttpMethod.GET, new HttpEntity<>(headers), String.class);
        assertThat(r.getStatusCode(), is(equalTo(HttpStatus.OK)));
        assertThat(r.getBody(), is(equalTo("Hello, testuser.")));
        assertThat("Output did not contain 'Yeah!'", output.toString(), containsString("Yeah!"));
    }

    @Test
    public void logsFailure() throws Exception {
        final HttpHeaders headers = new HttpHeaders();
        headers.add("Authorization", "Basic " + Base64.getEncoder().encodeToString("testuser:fump".getBytes()));
        headers.add("Accept", MediaType.APPLICATION_JSON_VALUE);

        final ResponseEntity<String> r = restTemplate
                .exchange("/", HttpMethod.GET, new HttpEntity<>(headers), String.class);        
        assertThat(r.getStatusCode(), is(equalTo(HttpStatus.UNAUTHORIZED)));
        assertThat("Output did not contain 'Oh no...'", output.toString(), containsString("Oh no..."));        
    }
}

I used the snapshot for the test as the test makes use of the new old properties to configure the user (see #10963).

I already checked if the DefaultAuthenticationEventPublisher is still part of SecurityAutoConfiguration and yes, it is. So I assume that those events should still be published.

[michael-simons]

Here's the full project for your convenience:
authlistener.zip

[mbhave]

In 1.5.x, the auto-config would create an AuthenticationManager bean and set the event publisher on that. Now that we create just a UserDetailsService bean, we don't have that anymore. See #10446.

I wonder if there is a way to do this even if an AuthenticationManager bean is not exposed.

[michael-simons]

Hm, I think that this is at least a case that has to be documented in the migration notes. Thanks for the link to #10446, I know how to work this, but maybe not everyone else.

[mbhave]

@rwinch and I think this is something that should be handle in Spring Security. See spring-projects/spring-security#4940. I'll leave this issue open so that we can document how to authentication event publishers are handled.

[michael-simons]

Hmm, when Boot is seen as consumer of Security I’m not sure I agree that Security needs to pick up the publisher instantiated by Boot.

[mbhave]

@michael-simons not sure I follow that.

[michael-simons]

Sorry, my bad.

I mean Boot chooses to create the event publisher as part of auto configuration, so it’s Boots responsibility to wire it to the authentication manager.
If you suggest creating the publisher by Security, that’s fine. I understood, that it still gets created by Boot and needs to be picked up by Security. That feels wrong.

[mbhave]

@michael-simons Spring Security will provide a hook to register a bean of type AuthenticationEventPublisher. If it finds a bean of that type, it will use that as the default publisher. This is consistent with the approach of registering a UserDetailsService bean (or PasswordEncoder, AuthenticationProvider), which gets picked up by Spring Security.

[michael-simons]

Understood, good point.