Spring-security: AuthenticationSuccessEvent not published for oauth2Login()

Created on 22 Oct 2018 · 6Comments · Source: spring-projects/spring-security

On running the OAuth2 Sample, there was no AuthenticationSuccessEvent since the ProviderManager seems to be using a NullEventPublisher.

oauth2 bug

Source

mbhave

👍1

Most helpful comment

After retest (with 5.1.2.BUILD-SNAPSHOT): I can confirm AuthenticationSuccessEvents er being published, and I can also find AUTHENTICATION_SUCCESS events at Actuator endpoint /auditevents. Thanks a lot for quick fix!

ismarslomic on 23 Oct 2018

👍2

All 6 comments

/cc @ismarslomic

philwebb on 22 Oct 2018

👍1

*FailureEvents are published though. So the issue is related to *SuccessEvents only

ismarslomic on 22 Oct 2018

An AuthenticationManagerBuilder @Bean is registered via AuthenticationConfiguration.authenticationManagerBuilder(). It's also associated with the AuthenticationEventPublisher registered in the context using AuthenticationManagerBuilder.authenticationEventPublisher().

However, WebSecurityConfigurerAdapter.setApplicationContext() initializes 2 instances of AuthenticationManagerBuilder, but does not associate it with the AuthenticationEventPublisher registered in the context.

We need to ensure that the initialization and association of the AuthenticationEventPublisher (registered in the context) is consistent between AuthenticationConfiguration and WebSecurityConfigurerAdapter.

jgrandja on 22 Oct 2018

👍1

@jgrandja thanks! I will gladly retest and report back, when you have a fix. Any idea on how complex and time consuming it will be? Just so I know if I should wait for a fix, or go ahead and use something else for Audit logging.

Edit: workarounds are also welcome :)

ismarslomic on 22 Oct 2018

@ismarslomic The fix has been applied to master and backported to 5.1.2 and 5.0.10.

jgrandja on 23 Oct 2018

👍1

ismarslomic on 23 Oct 2018

👍2

Was this page helpful?

0 / 5 - 0 ratings