Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher #1522

Closed
spring-projects-issues opened this issue Oct 18, 2009 · 4 comments
Closed

SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher #1522

spring-projects-issues opened this issue Oct 18, 2009 · 4 comments
Labels
in: core An issue in spring-security-core type: bug A general bug type: jira An issue that was migrated from JIRA
Milestone
3.0.0.RC2

Comments

@spring-projects-issues
Copy link

Charles Gutjahr (Migrated from SEC-1272) said:

When using the namespace configuration, creating an should automatically register a default event publisher. This allows applications to be notified about security events such as logins and login failures - for example I want these notifications so that I can write audit logs of failed logins.

The Javadoc on org.springframework.security.authentication.ProviderManager states that such a default event publisher is automatically registered when using the namespace. It says:

"The standard implementation is DefaultAuthenticationEventPublisher which maps common exceptions to events (in the case of authentication failure) and publishes an AuthenticationSuccessEvent if authentication succeeds. If you are using the namespace then an instance of this bean will be used automatically by the configuration, so you will receive events from the web part of your application automatically."

However ProviderManager does not actually register a DefaultAuthenticationEventPublisher! It uses its private NullEventPublisher class that does nothing. That means that if you use the namespace configuration you don't actually receive the default events. The only way to receive those events is to manually create a ProviderManager bean and inject a DefaultAuthenticationEventPublisher bean into it.

I think that:

  • should use DefaultAuthenticationEventPublisher instead of NullEventPublisher
  • should allow the AuthenticationEventPublisher on ProviderManager to be overridden if desired
@spring-projects-issues
Copy link
Author

Charles Gutjahr said:

Here is a workaround for this problem -- just in case anyone else needs to generate login events, here is what I did to get them working:

This is what I had to start with, a namespace configuration that doesn't generate events:

<security:authentication-manager>
    <security:authentication-provider user-service-ref="userDetailsService" />
</security:authentication-manager>
<bean id="userDetailsService" class="example.security.UserDetailsService" />

I changed it to this manual bean configuration, which does generate events just fine:

<bean id="org.springframework.security.authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
        <ref bean="daoAuthenticationProvider"/>
        </list>
    </property>
    <property name="authenticationEventPublisher" ref="defaultAuthenticationEventPublisher" />
</bean>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService"/>
</bean>
<bean id="userDetailsService" class="example.security.UserDetailsService" />
<bean id="defaultAuthenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />

@spring-projects-issues
Copy link
Author

Luke Taylor said:

I've updated the namespace code to register a DefaultAuthenticationEventPublisher and set it on the registered ProviderManager.

@spring-projects-issues
Copy link
Author

Shai Yallin said:

For some reason, when using the Remember-Me services, the eventPublisher property still references the NullEventPublisher.

I'm using RC2

This is my http configuration:

<security:http entry-point-ref="loginFormEntryPoint">
    <security:intercept-url pattern="/entity/**" access="ROLE_USER"/>
    <security:logout logout-url="/logout" logout-success-url="/login" />
    <security:remember-me services-ref="rememberMeServices" key="SpringSecurityRememberMe"/>
    <security:custom-filter ref="businessEntityAuthorizationFilter" position="LAST"/>
</security:http>

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
    <property name="alwaysRemember" value="true"/>
    <property name="key" value="SpringSecurityRememberMe"/>
    <property name="userDetailsService" ref="userService"/>
</bean>

@spring-projects-issues
Copy link
Author

Timo Meinen said:

Hi Luke,

could you give an example how to register another EventPublisher using namespace declaration? In the .xsd file, I can't find an attribute called event or publisher or something similar. Thank you. Timo

@spring-projects-issues spring-projects-issues added in: core An issue in spring-security-core Closed type: bug A general bug type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 3.0.0.RC2 milestone Feb 5, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: core An issue in spring-security-core type: bug A general bug type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
3.0.0.RC2
Development

No branches or pull requests
1 participant
@spring-projects-issues