Announcement Announcement Module
Collapse
No announcement yet.
Not seeing Spring Security authentication events Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Not seeing Spring Security authentication events

    My goal is to log the authentication successes and failures from ChannelSet.login() within Spring. I set up an ApplicationListener to receive the Spring Security authentication events (e.g. AuthenticationSuccessEvent ) but I am not seeing any in my ApplicationListener.

    Perhaps the integration's use of 'PreAuthenticatedProcessingFilterEntryPoint' prevents these events from being generated.

    Anyone else have any experience with this? Thanks.
    Last edited by jcarter; Jul 23rd, 2009, 01:07 PM. Reason: Adding icon to indicate issue is fixed.

  • #2
    The story so far....

    I believe there is a bug here somewhere. Can't tell yet if it's in the code or my understanding.

    org.springframework.flex.security.SpringSecurityLo ginCommand.java:
    * implements flex.messaging.security.LoginCommand
    * invokes AuthenticationManager::authenticate

    The AuthenticationManager defaults in the namespace processing system to a 'ProviderManager' to which a 'DaoAuthenticationProvider' is attached. This then connects to the account names / passwords / roles used by the account name / password combo during ChannelSet::login.

    The 'ProviderManager' is the source of the events that I need. It is 'ApplicationEventPublisherAware' but the event publisher does not appear to be set. This is a problem.

    Any ideas? Thanks.

    Comment


    • #3
      I'll take a shot at reproducing this myself this morning. Just to be clear, I assume you're expecting your listener to be notified when the SpringSecurityLoginCommand processes the Authentication?

      Comment


      • #4
        Correct. I expect to see the 'AuthenticationSuccessEvent' raised on successful login and the other ApplicationEvents (e.g. AuthenticationFailureBadCredentialsEvent) raised on failures.

        FWIW, I'm rebuilding the spring-security module with some additional logging to confirm my suspicions.

        Comment


        • #5
          With the instrumented build of Spring Security Core, I see that the ProviderManager 'ApplicationEventPublisher' is, in fact, set and is an XmlWebApplicationContext.

          Now to figure out why the events appear to be swallowed.

          Comment


          • #6
            Ok, I did run into one caveat in my test that might apply to your scenario. If you have a setup similar to the testdrive, where Spring Security is configured in the root web application context, and Spring BlazeDS Integration is configured in a child DispatcherServlet context, a listener defined in that child application context will not receive the security event (this is a result of the fact that a parent context has no awareness of its child). So for example, in the testdrive, if you define a listener in the root web application context (in security-context.xml, for example) then you receive the security event notification when the SpringSecurityLoginCommand processes the Authentication, but if you define the listener in the child DispatcherServlet context (in testdrive-servlet.xml) then it will not be notified of the events. This is all essentially expected behavior. Perhaps this is reflected in your scenario?
            Last edited by jeremyg484; Jul 22nd, 2009, 01:26 PM.

            Comment


            • #7
              Looks like an error on my side. Still debugging.

              Comment


              • #8
                Fixed.

                Jeremyg484, thanks for the tip. That plus a very careful rewrite of the event handler got everything working.

                Comment

                Working...
                X