Skip to content

Add logging to InitializeAuthenticationProviderBeanManagerConfigurer and InitializeUserDetailsBeanManagerConfigurer #14663

New issue
New issue
Closed
#14711
Closed
Add logging to InitializeAuthenticationProviderBeanManagerConfigurer and InitializeUserDetailsBeanManagerConfigurer#14663
#14711
Assignees
Kehrlann
Labels
in: configAn issue in spring-security-configtype: enhancementA general enhancement
@Kehrlann

Description

@Kehrlann
Kehrlann
opened on Feb 29, 2024

Context

By default HttpSecurityConfiguration wires an AuthenticationManager with either:

  • a DaoAuthenticationProvider when the user provides a UserDetailsService
  • or a user-provided AuthenticationProvider bean
  • (or none of the above)

Depending on the bean configuration, results differ:

No AuthenticationProvider 1 AuthenticationProvider Multiple AuthenticationProvider
No UserDetailsService No global authentication
✅ works as expected		 Global authentication with AuthenticationProvider
✅ works as expected		 No global authentication
🤔 "why are my AuthenticationProviders not used?"
1 UserDetailsService Global authentication with username/password
✅ works as expected		 Global authentication with AuthenticationProvider
🤔🤔🚨 "why is my UserDetailsService not used?"		 Global authentication with username/password
🤔 "why are my AuthenticationProviders not used?"
Multiple UserDetailsServices No global authentication
🤔 "why are my UserDetailsServices not used?"		 Global authentication with AuthenticationProvider
🤔 "why are my UserDetailsSerivces not used?"		 No global authentication
🤔 "why are my AuthenticationProviders not used?"
🤔 "why are my UserDetailsSerivces not used?"

With the most surprising use-case for users being 1 UserDetailsService + 1 AuthenticationProvider, see for example this StackOverflow question.

Other cases are confusing too, see gh-10005 for 2 AuthenticationProviders + 1 UserDetailsService.

Suggestions

Add logging to both InitializeAuthenticationProviderBeanManagerConfigurer and InitializeUserDetailsBeanManagerConfigurer.

InitializeUserDetailsBeanManagerConfigurer

  • When there is a single UserDetailsService and InitializeUserDetailsBeanManagerConfigurer triggers, add a log line at the INFO or DEBUG level, notifying the user which UserDetailsService bean is being used
  • When there are mutliple UserDetailsService beans provided, add a WARN log notifying the user that they are not auto-configured / used, along with their names.
  • When there is a single UserDetailsService, and InitializeUserDetailsBeanManagerConfigurer does not trigger because there also is an AuthenticationProvider bean, add a log line at the WARN level, notifying the user that the UserDetailsService is ignored.

InitializeAuthenticationProviderBeanManagerConfigurer

  • When there is a single AuthenticationProvider, and InitializeAuthenticationProviderBeanManagerConfigurer tiggers, add a log at the INFO or DEBUG level, notifying the user which `AuthenticationProvider bean is being used.
  • When there are multiple AuthenticationProviders, and InitializeAuthenticationProviderBeanManagerConfigurer does not trigger, add a log at the WARN level, notifying the user that the AuthenticationProvider beans, with their names, are ignored.

Repro project

A small (handful of) repro projects, showing different cases: https://github.com/Kehrlann/spring-security-autoconfig-logging

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configtype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions