/ spring-security Public
SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher #1522
An issue in spring-security-core
A general bug
An issue that was migrated from JIRA
Charles Gutjahr (Migrated from SEC-1272) said:
When using the namespace configuration, creating an should automatically register a default event publisher. This allows applications to be notified about security events such as logins and login failures - for example I want these notifications so that I can write audit logs of failed logins.
The Javadoc on org.springframework.security.authentication.ProviderManager states that such a default event publisher is automatically registered when using the namespace. It says:
"The standard implementation is DefaultAuthenticationEventPublisher which maps common exceptions to events (in the case of authentication failure) and publishes an AuthenticationSuccessEvent if authentication succeeds. If you are using the namespace then an instance of this bean will be used automatically by the configuration, so you will receive events from the web part of your application automatically."
However ProviderManager does not actually register a DefaultAuthenticationEventPublisher! It uses its private NullEventPublisher class that does nothing. That means that if you use the namespace configuration you don't actually receive the default events. The only way to receive those events is to manually create a ProviderManager bean and inject a DefaultAuthenticationEventPublisher bean into it.
I think that:
The text was updated successfully, but these errors were encountered: