Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add logging to InitializeAuthenticationProviderBeanManagerConfigurer and InitializeUserDetailsBeanManagerConfigurer #14663

Closed
Kehrlann opened this issue Feb 29, 2024 · 1 comment · Fixed by #14711
Assignees
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement

Comments

@Kehrlann
Copy link
Contributor

Context

By default HttpSecurityConfiguration wires an AuthenticationManager with either:

  • a DaoAuthenticationProvider when the user provides a UserDetailsService
  • or a user-provided AuthenticationProvider bean
  • (or none of the above)

Depending on the bean configuration, results differ:

No AuthenticationProvider 1 AuthenticationProvider Multiple AuthenticationProvider
No UserDetailsService No global authentication
✅ works as expected
Global authentication with AuthenticationProvider
✅ works as expected
No global authentication
🤔 "why are my AuthenticationProviders not used?"
1 UserDetailsService Global authentication with username/password
✅ works as expected
Global authentication with AuthenticationProvider
🤔🤔🚨 "why is my UserDetailsService not used?"
Global authentication with username/password
🤔 "why are my AuthenticationProviders not used?"
Multiple UserDetailsServices No global authentication
🤔 "why are my UserDetailsServices not used?"
Global authentication with AuthenticationProvider
🤔 "why are my UserDetailsSerivces not used?"
No global authentication
🤔 "why are my AuthenticationProviders not used?"
🤔 "why are my UserDetailsSerivces not used?"

With the most surprising use-case for users being 1 UserDetailsService + 1 AuthenticationProvider, see for example this StackOverflow question.

Other cases are confusing too, see gh-10005 for 2 AuthenticationProviders + 1 UserDetailsService.

Suggestions

Add logging to both InitializeAuthenticationProviderBeanManagerConfigurer and InitializeUserDetailsBeanManagerConfigurer.

InitializeUserDetailsBeanManagerConfigurer

  • When there is a single UserDetailsService and InitializeUserDetailsBeanManagerConfigurer triggers, add a log line at the INFO or DEBUG level, notifying the user which UserDetailsService bean is being used
  • When there are mutliple UserDetailsService beans provided, add a WARN log notifying the user that they are not auto-configured / used, along with their names.
  • When there is a single UserDetailsService, and InitializeUserDetailsBeanManagerConfigurer does not trigger because there also is an AuthenticationProvider bean, add a log line at the WARN level, notifying the user that the UserDetailsService is ignored.

InitializeAuthenticationProviderBeanManagerConfigurer

  • When there is a single AuthenticationProvider, and InitializeAuthenticationProviderBeanManagerConfigurer tiggers, add a log at the INFO or DEBUG level, notifying the user which `AuthenticationProvider bean is being used.
  • When there are multiple AuthenticationProviders, and InitializeAuthenticationProviderBeanManagerConfigurer does not trigger, add a log at the WARN level, notifying the user that the AuthenticationProvider beans, with their names, are ignored.

Repro project

A small (handful of) repro projects, showing different cases: https://github.com/Kehrlann/spring-security-autoconfig-logging

@Kehrlann Kehrlann added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Feb 29, 2024
@marcusdacoregio marcusdacoregio added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 29, 2024
@Kehrlann
Copy link
Contributor Author

Kehrlann commented Mar 5, 2024

Adding implementation notes

Notes

Kehrlann added a commit to Kehrlann/spring-security that referenced this issue Mar 8, 2024
Kehrlann added a commit to Kehrlann/spring-security that referenced this issue Apr 24, 2024
jzheaux pushed a commit that referenced this issue Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants