Context
I do use a UsernamePasswordAuthenticationFilter with 3 login parts (tenant, username, password) in combination with a form-based login. This worked perfectly fine in SB2 / 2.7.14.
When I tried to migrate to SB 3.x the login stopped working at all. I'm unable to login/logout.
Reproducer app
I've extracted the main application parts into a separate project: sb3-filter-problem
The submodule sb2 contains the working SB2 application (2.7.14), while sb3 uses SB 3.2.0-M1. I followed the docs to configure the login. As the way the authenticationManager is wired in changed, I use an my AbstractHttpConfigurer to add the filter. Apart from that a SimpleUrlLogoutSuccessHandler is used to perform actions upon logout.
Further information and quicklinks into the example app can be found in its README
Quicklinks to show the difference between SB2 and SB3
| Description | SB2 - 2.7.14 | SB3 - 3.2.0-M1 | Status SB2 | Status SB3 |
|---|---|---|---|---|
| ApplicationUser to encapsulate tenant, user, password for login | ApplicationUser | ApplicationUser | π working | π working |
| LoginTenantAuthenticationFilter (UsernamePasswordAuthenticationFilter) to extract data upon login | LoginTenantAuthenticationFilter | LoginTenantAuthenticationFilter | π working | π working |
| Filter configuration | AuthenticationConfiguration | Sb3CustomDsl | π working | π₯ not working |
| Authentication configuration | AuthenticationConfiguration | AuthenticationConfiguration | π working | π₯ not working |
| SimpleUrlLogoutSuccessHandler to trigger actions upon logout | LeaveEventsUponLogoutSuccessHandler | LeaveEventsUponLogoutSuccessHandler | π working | π₯ not working |
Steps already taken
I already tried to submit a StackOverflow question, but unfortunately no working answers were provided. If I remove the configuration of the form-based login, the app does not show any login screen anymore.
As I'm unable to find any reference to a working example that combines a separate 3-part-login and form-based user authentication I file this issue. Maybe there has been a regression or just a lack of documentation, which my reproducer app may provide.
Thanks for any feedback and I'm willing to contribute my reproducer app in case it helps other users to avoid the problems I'm facing at the moment.
Comment From: sjohnr
Question appears answered per update.
Comment From: ottlinger
@sjohnr If you have a closer a look at the changes it should be clear, that this is most probably still a bug on the spring-side, but I assume that not a great many of people work with the extension of the UsernamePasswordFilter and thus may run into the troubles that I've experienced. As usual the docs do not cover the use case that extends the filtering mechanism and thus exposes the problem that the underlying securityContextRepository is wrongly wired and blocks authentication.
Comment From: sjohnr
I'm sorry to hear you are having trouble extending UsernamePasswordAuthenticationFilter for your needs @ottlinger.
this is most probably still a bug on the spring-side
If you believe there is a bug, please write it up clearly and concisely. This issue was asked as a question on stackoverflow, which points to a GitHub repository containing months of history and discovery and a note that the issue was solved. Please take those learnings and distill it into a minimal, reproducible sample to demonstrate any bug you have found.
As usual the docs do not cover the use case that extends the filtering mechanism
I'm not sure what's meant by this comment but please be constructive in your feedback as we always strive to improve the documentation and constructive feedback is more helpful than criticism. If you feel an improvement can be made, please be specific and provide suggestions for improvement.
Comment From: ottlinger
@sjohnr sorry for the misunderstanding - the motivation behind this whole project was to show the difference between SB2 and SB3. When I tried to file bugs with spring-boot these tickets were closed within minutes, which led me to the conclusion that no-one read the example app or had a look at the code itself. This led to a certain level of frustration on my side as I was not able to solve my problem until the contribution from GlenErrands.