Describe the bug As title. Version: spring-boot-starter-security 2.1.17.RELEASE
To Reproduce Step1: I make a custom DefaultAuthenticationEventPublisher like this: This is a custom bean.
@Bean
public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher = new DefaultAuthenticationEventPublisher(
publisher);
Properties additionalExceptionMappings = new Properties();
additionalExceptionMappings.put(CustomAuthenticationException.class.getName(),
CustomAuthenticationExceptionEvent.class.getName());
defaultAuthenticationEventPublisher.setAdditionalExceptionMappings(additionalExceptionMappings);
return defaultAuthenticationEventPublisher;
}
This is a custom exception.
public class CustomAuthenticationException extends AuthenticationException...
This is a custom ExceptionEvent.
public class CustomAuthenticationExceptionEvent extends AbstractAuthenticationFailureEvent {...
Step2: Make a custom AuthenticationEventListener.
public class AuthenticationEventListener implements ApplicationListener<AbstractAuthenticationEvent> {
/**
* @see org.springframework.context.ApplicationListener#onApplicationEvent(org.springframework.context.ApplicationEvent)
*/
@Override
public void onApplicationEvent(AbstractAuthenticationEvent event) {
log.debug("enter, {}", event);
}
}
Step3: To login. First, I try to throw security exception like UsernameNotFoundException, and I got the log.
public class NormalLoginAuthenticationProvider implements AuthenticationProvider{
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
throw new UsernameNotFoundException("This is a security exception");
}
}
But when I try to throw custom exception like CustomAuthenticationException, I can't enter my AuthenticationEventListener.
public class NormalLoginAuthenticationProvider implements AuthenticationProvider{
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
throw new CustomAuthenticationException("This is a custom exception");
}
}
And I try to override configure like:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder)
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationEventPublisher(SpringCxUtil.getBean(DefaultAuthenticationEventPublisher.class));
super.configure(auth);
}
}
But it still doesn't work.
I debugged some code, and found this:
@Order(100)
public abstract class WebSecurityConfigurerAdapter implements
WebSecurityConfigurer<WebSecurity> {
/**
* Creates the {@link HttpSecurity} or returns the current instance
*
* ] * @return the {@link HttpSecurity}
* @throws Exception
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
protected final HttpSecurity getHttp() throws Exception {
if (http != null) {
return http;
}
DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor
.postProcess(new DefaultAuthenticationEventPublisher());
localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
AuthenticationManager authenticationManager = authenticationManager();
authenticationBuilder.parentAuthenticationManager(authenticationManager);
authenticationBuilder.authenticationEventPublisher(eventPublisher);
...
}
``
I think it was overriding my setting?
**Expected behavior**
Add custom exceptionMappings in `DefaultAuthenticationEventPublisher`.
**Comment From: jzheaux**
Thanks for all the detail here, @zero3h. Would you be able to create a minimal GitHub sample application that reproduces the issue? This will help us address your concern more quickly.
**Comment From: spring-projects-issues**
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
**Comment From: zero3h**
I'm sorry it took so long to respond.Here is a minimal [GitHub](https://github.com/zero3h/issues-demo/tree/spring-security%239313) sample application.
**Comment From: jzheaux**
Thanks, @zero3h! The sample seems quite large. Are all the files in the sample necessary to reproduce the issue? Ideally, the sample contains only the components related to the ticket.
**Comment From: zero3h**
[It's](https://github.com/zero3h/issues-demo/tree/spring-security%239313) subtracted.
**Comment From: jzheaux**
Thanks, @zero3h. Configuring the authentication manager from within a custom security adapter can be tricky as there are subtle ordering concerns to keep track of.
Instead of configuring your `AuthenticationProvider` there, you can wire the authentication provider in your `configure(AuthenticationManagerBuilder)` method like so:
```java
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth
.authenticationProvider(loginAuthenticationProvider)
.authenticationEventPublisher(...);
}
Also, please remove the call to super.configure(auth) as the default implementation of that method disables local AuthenticationManager configuration.
I realize that you didn't ask this, but you might also see if you can use UsernamePasswordAuthenticationFilter instead as it appears that LoginAuthenticationFilter is quite similar. Or, if you must have a custom filter, you can expose AuthenticationManager as a @Bean and change your custom filter to autowire AuthenticationManager. Then you can publish the custom filter as a bean and dispense with the custom SecurityConfigurerAdapter altogether.
Neither of those is necessary to get your application to work, but it might make it nicer to maintain in the future.
Comment From: zero3h
It works! And Thank you very much for your advice, which has benefited me a lot.