Spring Security SEC-3114: No authentication provider found is a DEBUG statement

Brandon McCulligh (Migrated from SEC-3114) said:

I was seeing extremely odd behaviour in one of my applications while adding in a secure section where the application was calling my custom AuthenticationProvider service and authenticating but the app would loose the authentication information when I try to navigate to one of the secure areas. The app would get stuck in redirect loops after a successful login via my custom login page.

In the end this was caused by the framework not knowing about the Authentication Provider. After a long time of trying things such as managing the Authentication object in the session etc, I found out that this is logged as a 1 liner DEBUG statement.

This should at the minimal be logged as an ERROR or I'd argue even as far as a FATAL and throw a stack trace out. This was a hidden problem because the framework knew there wasn't an authentication provider yet I had security rules setup for authentication.

Just to clarify, this bug is to the change the visibility of this error statement. The fix of the actual problem was obviously add in the authentication provider so the framework is aware of it as well.

Comment From: marcusdacoregio

Thank you for your report. This is no longer an issue in the latest Spring Security.

Reviewing the code from ProviderManager class, there is not a DEBUG log in it anymore. Instead, what happens when there is not any AuthenticationProvider that supports the authentication method, an event is fired indicating that the authentication was not successful.

I am closing this as it is not valid anymore, but if someone wants to discuss its validity, we can reopen it.