Add logging to InitializeAuthenticationProviderBeanManagerConfigurer
and InitializeUserDetailsBeanManagerConfigurer
#14663
Labels
Context
By default
HttpSecurityConfiguration
wires anAuthenticationManager
with either:DaoAuthenticationProvider
when the user provides aUserDetailsService
AuthenticationProvider
beanDepending on the bean configuration, results differ:
✅ works as expected
✅ works as expected
🤔 "why are my AuthenticationProviders not used?"
✅ works as expected
🤔🤔🚨 "why is my UserDetailsService not used?"
🤔 "why are my AuthenticationProviders not used?"
🤔 "why are my UserDetailsServices not used?"
🤔 "why are my UserDetailsSerivces not used?"
🤔 "why are my AuthenticationProviders not used?"
🤔 "why are my UserDetailsSerivces not used?"
With the most surprising use-case for users being 1
UserDetailsService
+ 1AuthenticationProvider
, see for example this StackOverflow question.Other cases are confusing too, see gh-10005 for 2
AuthenticationProvider
s + 1UserDetailsService
.Suggestions
Add logging to both
InitializeAuthenticationProviderBeanManagerConfigurer
andInitializeUserDetailsBeanManagerConfigurer
.InitializeUserDetailsBeanManagerConfigurer
UserDetailsService
andInitializeUserDetailsBeanManagerConfigurer
triggers, add a log line at theINFO
orDEBUG
level, notifying the user whichUserDetailsService
bean is being usedUserDetailsService
beans provided, add aWARN
log notifying the user that they are not auto-configured / used, along with their names.UserDetailsService
, andInitializeUserDetailsBeanManagerConfigurer
does not trigger because there also is anAuthenticationProvider
bean, add a log line at theWARN
level, notifying the user that theUserDetailsService
is ignored.InitializeAuthenticationProviderBeanManagerConfigurer
AuthenticationProvider
, andInitializeAuthenticationProviderBeanManagerConfigurer
tiggers, add a log at theINFO
orDEBUG
level, notifying the user which `AuthenticationProvider bean is being used.AuthenticationProvider
s, andInitializeAuthenticationProviderBeanManagerConfigurer
does not trigger, add a log at theWARN
level, notifying the user that theAuthenticationProvider
beans, with their names, are ignored.Repro project
A small (handful of) repro projects, showing different cases: https://github.com/Kehrlann/spring-security-autoconfig-logging
The text was updated successfully, but these errors were encountered: