Spring Security Add logging to InitializeAuthenticationProviderBeanManagerConfigurer and InitializeUserDetailsBeanManagerConfigurer

Context

By default HttpSecurityConfiguration wires an AuthenticationManager with either: - a DaoAuthenticationProvider when the user provides a UserDetailsService - or a user-provided AuthenticationProvider bean - (or none of the above)

Depending on the bean configuration, results differ:

	No AuthenticationProvider	1 AuthenticationProvider	Multiple AuthenticationProvider
No UserDetailsService	No global authentication ✅ works as expected	Global authentication with AuthenticationProvider ✅ works as expected	No global authentication 🤔 "why are my AuthenticationProviders not used?"
1 UserDetailsService	Global authentication with username/password ✅ works as expected	Global authentication with AuthenticationProvider 🤔🤔🚨 "why is my UserDetailsService not used?"	Global authentication with username/password 🤔 "why are my AuthenticationProviders not used?"
Multiple UserDetailsServices	No global authentication 🤔 "why are my UserDetailsServices not used?"	Global authentication with AuthenticationProvider 🤔 "why are my UserDetailsSerivces not used?"	No global authentication 🤔 "why are my AuthenticationProviders not used?" 🤔 "why are my UserDetailsSerivces not used?"

With the most surprising use-case for users being 1 UserDetailsService + 1 AuthenticationProvider, see for example this StackOverflow question.

Other cases are confusing too, see gh-10005 for 2 AuthenticationProviders + 1 UserDetailsService.

Suggestions

Add logging to both InitializeAuthenticationProviderBeanManagerConfigurer and InitializeUserDetailsBeanManagerConfigurer.

InitializeUserDetailsBeanManagerConfigurer

• When there is a single UserDetailsService and InitializeUserDetailsBeanManagerConfigurer triggers, add a log line at the INFO or DEBUG level, notifying the user which UserDetailsService bean is being used
• When there are mutliple UserDetailsService beans provided, add a WARN log notifying the user that they are not auto-configured / used, along with their names.
• When there is a single UserDetailsService, and InitializeUserDetailsBeanManagerConfigurer does not trigger because there also is an AuthenticationProvider bean, add a log line at the WARN level, notifying the user that the UserDetailsService is ignored.

InitializeAuthenticationProviderBeanManagerConfigurer

• When there is a single AuthenticationProvider, and InitializeAuthenticationProviderBeanManagerConfigurer tiggers, add a log at the INFO or DEBUG level, notifying the user which `AuthenticationProvider bean is being used.
• When there are multiple AuthenticationProviders, and InitializeAuthenticationProviderBeanManagerConfigurer does not trigger, add a log at the WARN level, notifying the user that the AuthenticationProvider beans, with their names, are ignored.

Repro project

A small (handful of) repro projects, showing different cases: https://github.com/Kehrlann/spring-security-autoconfig-logging

Comment From: Kehrlann

Adding implementation notes

Notes

• Consider impact of gh-14632 on this story.