I have a similar problem mentioned in this SO thread - here.

I have tried both the recommended solution in above SO thread, but the problem still persist. When CustomAuthProvider fails with Bad credentials exception, the ProviderManager class is basically doing exception handling and it resend the call again to CustomAuthProvider for authentication. And this process is keep going on like infinite loop.

WebSecurityConfig

http.authorizeRequests().and().authenticationProvider(this.customAuthProvider());

CustomAuthProvider:

        if (!password.equals(userDetails.getPassword())) {
            throw new BadCredentialsException("Wrong password.");
        }

ProviderManager:

      while(var8.hasNext()) {
            AuthenticationProvider provider = (AuthenticationProvider)var8.next();
            if (provider.supports(toTest)) {
                if (debug) {
                    logger.debug("Authentication attempt using " + provider.getClass().getName());
                }

                try {
                    result = provider.authenticate(authentication);
                    if (result != null) {
                        this.copyDetails(authentication, result);
                        break;
                    }
                } catch (InternalAuthenticationServiceException | AccountStatusException var13) {
                    this.prepareException(var13, authentication);
                    throw var13;
                } catch (AuthenticationException var14) {
                    lastException = var14;
                }
            }
        }

        if (result == null && this.parent != null) {
            try {
                result = parentResult = this.parent.authenticate(authentication);
            } catch (ProviderNotFoundException var11) {
            } catch (AuthenticationException var12) {
                parentException = var12;
                lastException = var12;
            }
        }

Steps To Reproduce:

  1. Perform Basic Authentication
  2. Provide the wrong password
  3. CustomAuthProvider will throw BadCredentialsException
  4. ProviderManager will catch the exception - lastException = var14;
  5. And then infinite loop of calls between CustomAuthProvider and ProviderManager starts with the same exception BadCredentialsException more than twice.

Can you please let me know, how to avoid this infinite loop of exception chain. Why don't ProvideManager let the exception goes to the parent caller so the end-user know what the problem by looking at the exception? That it's Bad Credential exception due to wrong password.

Any help would be appreciated!

Comment From: rwinch

Please provide a complete and minimal project to reproduce the problem.

Comment From: d3minem

@rwinch - I was trying to setup the example for you to look at it. But for some reason, not able to reproduce this issue now. When the BadCredentialsException is thrown, it attempt for twice and then call the onUnsuccessfulAuthentication method. Previously, it was calling the below line:

result = parentResult = this.parent.authenticate(authentication);

in the ProvideManager. Some how its fixed for myself now and working as per expectation that onUnsuccessfulAuthentication method is calling.

Thanks for your help but may be some other time will give the opportunity to look at the example ;-)

Comment From: rwinch

Thanks for the response. I'm going to close this. If you end up getting a complete/minimal sample to reproduce, please feel free to create a new ticket with the sample.