Can't use custom authenticationEventPublisher on last ProviderManager

[mondaka]

Summary

When you extend WebSecurityConfigurerAdapter and override the method
protected final void configure(AuthenticationManagerBuilder auth) throws Exception
to set auth.authenticationEventPublisher(defaultAuthenticationEventPublisher);
it doesn't work propertly.

Actual Behavior

When you use the auth.authenticationEventPublisher(defaultAuthenticationEventPublisher) method
to set a custom AuthenticationEventPublisher, the localConfigureAuthenticationBldr (that is an AuthenticationManagerBuilder instance which manage AuthenticationManager buiding) on WebSecurityConfigurerAdapter doesn't build anything (returns null, because it needs AuthenticationProviders to be built).

I have tried a workaround using a "dummy" AuthenticationProvider, but in this case, the structure of built ProviderManagers on WebSecurityConfigurerAdapter is: the one that is built by the localConfigureAuthenticationBldr is set as parent of the other one created by authenticationBuilder.

This causes that we can't set an AuthenticationEventPublisher at the ProviderManager built by authenticationBuilder and consequently, the exceptions thrown by this ProviderManager don't fire any event.

Expected Behavior

Set an AuthenticationEventPublisher on "last" ProviderManager (the one created by authenticationBuilder on WebSecurityConfigurerAdapter), that fire events on this ProviderManager and not in his parent.

Configuration

Version

4.1.0

Sample

@EnableWebSecurity
@Configuration
public abstract class MySecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        
        http.x509()
            .authenticationUserDetailsService(authenticationUserDetailsService);
    }

    @Override
    protected final void configure(AuthenticationManagerBuilder auth) throws Exception {
    	auth.authenticationEventPublisher(defaultAuthenticationEventPublisher);
    }

   @Bean
   public DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher() {
         return   new DefaultAuthenticationEventPublisher();
   }
}

@Component
public class MyAppListener implements ApplicationListener<AbstractAuthenticationEvent>, ApplicationContextAware {
    
    private static final org.slf4j.Logger LOG =     
       org.slf4j.LoggerFactory.getLogger(MyAppListener .class);

    @Override
    public void onApplicationEvent(AbstractAuthenticationEvent authEvent) {
       LOG.debug("Event: " + authEvent.getClass().getName() + " throwed");
    }
}

[anhquande]

+1
I encounter the same problem