SEC-1940: ProviderManager does not publish AccountStatusException

[spring-projects-issues]

Emerson Farrugia (Migrated from SEC-1940) said:

When using a simple configuration, an authentication provider throwing a LockedException doesn't cause an AuthenticationFailureLockedEvent to be published. The writeup's in the Spring forum reference. I can't be sure this is a bug, but it seems too weird to be expected behavior.

[spring-projects-issues]

Rob Winch said:

Providing an example configuration would like speed up the ability to fix this.

[spring-projects-issues]

David Kerwick said:

Hi I've also come across the same issue

I have a listener class like below

@Component
public class AuthenticationLockedListener implements ApplicationListener<AuthenticationFailureLockedEvent> {

    @Override
    public void onApplicationEvent(AuthenticationFailureLockedEvent event) {
        logger.debug("In the onApplicationEvent");
    }
}

In my userDetailsService I throw a

throw new LockedException("User account suspended");

The above listener used to pick up this exception now it never gets fired.

The event

AuthenticationFailureServiceExceptionEvent

Seems to fire, but I think that's an overall something went wrong exception?

I'm using a http element in the security config like below

<http  pattern="/login" security="none"/>

<http auto-config="true" use-expressions="true">            
    <form-login login-page="/login" authentication-failure-url="/login?login_error=1" 
    login-processing-url="/j_spring_security_check"/>
</http>

Thanks
David

[spring-projects-issues]

Akil Mahimwala said:

I have a very similar issue.

The AuthenticationFailureBadCredentialsEvent gets fired as expected.
The AuthenticationSuccessEvent is also fired as expected

but
AuthenticationFailureLockedEvent is not getting fired

Thanks Akil

[spring-projects-issues]

Rob Worsnop said:

This was introduced by the fix for SEC-546. When a LockedException (or any other AccountStatusException) is thrown, ProviderManager will immediately rethrow the exception without trying other providers. It also skips the event publishing, which is what causes this bug.

I submitted a fix:
#10