Describe the bug A clear and concise description of what the bug is.

AbstractUserDetailsAuthenticationProvider class defines an attribute messages, and gives the initial value for it 。

    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

But this class also implements MessageSourceAware,AbstractApplicationContext# initMessageSource () method will ensure that the container will always be a messageSource , when the user does not customize messageSource , an empty DelegatingMessageSource will be registered.

This leads to AbstractUserDetailsAuthenticationProvider messageSource attribute is never in the initial value, because always triggers MessageSourceAware#setMessageSource ()

Exception messages thrown in this class will always be defaultMessage unless the user manually registers the messageSource and scans basename "org.springframework.security.messages".

Expected behavior A clear and concise description of what you expected to happen.

Hope in the user without configuration messageSource, back to use SpringSecurityMessageSource, this ensures that the internationalization of correct error message

Comment From: eleftherias

Thanks for reaching out @Hccake. Have you registered a MessageSource bean in your application?

@Bean
public MessageSource messageSource() {
    ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
    messageSource.addBasenames("classpath:org/springframework/security/messages");
    return messageSource;
}

Comment From: Hccake

@eleftherias

When I register such a messageSource, it works.

But if MessageSourceAccessor is provided by default, why should users register messageSource themselves ?

Comment From: eleftherias

Thank you for confirming that, @Hccake.

I'm not sure I understand your question. Perhaps this section of the reference documentation is able to answer it?

Comment From: Hccake

What I mean by this is whether spring-Security can also provide support for internationalization without users manually registering messageSource.

Comment From: Hccake

@eleftherias

hello,I have created a PR for this issue, can you have a look

Comment From: eleftherias

The message source is necessary to distinguish between the localization that is provided by Spring Security (which can be seen here) and any custom messages that you have added.

If you feel that we are missing any language, we are happy to accept a PR directly in Spring Security with the internationalized messages.

Comment From: Hccake

@eleftherias

When users use Spring Security, they do not enjoy internationalization by default, You must register a MessageSource and add is called "the classpath: org/springframework/security/messages" the basename to realize internationalization.

I don't think this is a great experience, and ideally, users can enjoy the internationalization of Spring Security error messages without having to sign up for MessageSource.

SpringSecurityMessageSource useless at present, by default, he will be replaced by an empty MessageSource, when the user registration MessageSource, replaced by the user registration MessageSource.

This allows SpringSecurityMessageSource lost its meaning.

Comment From: elfwine

I also had this problem with the latest Spring boot (2.6.7) and spring security(5.6.3). I also tried to register MessageSource but it's not picking up. I debugged if AbstractUserDetailsAuthenticationProvider#setMessageSource is called and it did not. What I did is I copied the spring security's InitializeUserDetailsBeanManagerConfigurer class into a new one and set the MessageSource inside of the configure method. I think it will be better if MessageSource is set in InitializeUserDetailsManagerConfigurer by default just like how UserDetailService and PasswordEncoder where set.

Comment From: pearl88

I also had this problem with the latest Spring boot (2.6.7) and spring security(5.6.3). I also tried to register MessageSource but it's not picking up. I debugged if AbstractUserDetailsAuthenticationProvider#setMessageSource is called and it did not. What I did is I copied the spring security's InitializeUserDetailsBeanManagerConfigurer class into a new one and set the MessageSource inside of the configure method. I think it will be better if MessageSource is set in InitializeUserDetailsManagerConfigurer by default just like how UserDetailService and PasswordEncoder where set.

Spring Boot (3.1) and spring security(6.1),There is still this problem,MessageSourceAware without effect

Comment From: pearl88

I also had this problem with the latest Spring boot (2.6.7) and spring security(5.6.3). I also tried to register MessageSource but it's not picking up. I debugged if AbstractUserDetailsAuthenticationProvider#setMessageSource is called and it did not. What I did is I copied the spring security's InitializeUserDetailsBeanManagerConfigurer class into a new one and set the MessageSource inside of the configure method. I think it will be better if MessageSource is set in InitializeUserDetailsManagerConfigurer by default just like how UserDetailService and PasswordEncoder where set.

Therefore, I can only copy the language files in the 'org.springframework.security' directory to my own project for modification