stormpath-sdk-java icon indicating copy to clipboard operation
stormpath-sdk-java copied to clipboard
verified publisher icon stormpath

AuthenticationSuccessEvent no longer published on successful login

Open george-hawkins-work opened this issue 9 years ago • 6 comments

With the move to 1.0.2 an AuthenticationSuccessEvent is no longer published when a successful login occurs.

Previously I believe the Spring Security ProviderManager used to iterate through all the authentication providers and if one was successful it would trigger the publishing of an AuthenticationSuccessEvent. See ProviderManager.java:220:

eventPublisher.publishAuthenticationSuccess(result);

Now with 1.0.2. this logic is not invoked, rather the Stormpath SpringSecurityResolvedAccountFilter directly calls authenticate(...) on StormpathAuthenticationProvider and there is no corresponding event publishing step.

george-hawkins-work avatar Aug 11 '16 16:08 george-hawkins-work

@george-hawkins-aa thanks for reporting this. I am working on it right now. This should be fixed in the upcoming release.

mrioan avatar Aug 11 '16 17:08 mrioan

hello @george-hawkins-aa. I was not able to reproduce this issue. I tried with Spring Security using both Spring and Spring Boot. In both cases the on(SuccessfulAuthenticationRequestEvent) method in the default RequestEventListenerAdapter bean has been invoked.

Could you please describe the method of authentication and the Stormpath module that you are using? Thanks

mrioan avatar Aug 11 '16 18:08 mrioan

Hi @mrioan sorry for not providing more details for reproducing this issue (though I did refer to the Spring Security event AuthenticationSuccessEvent rather than the Stormpath specific event SuccessfulAuthenticationRequestEvent).

Previous to the 1.X release of the Stormpath SDK you used to be able to detect a successful login in a non-Stormpath specific way using just the standard documented Spring Securty approach, i.e. just create a service that implements ApplicationListener<AuthenticationSuccessEvent>. E.g. something like this:

@Service
public class AuthenticationSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> {
    @Override
    public void onApplicationEvent(AuthenticationSuccessEvent event) {
        // ...
    }
}

This no longer works, for the reasons outlined above.

I've switched over to the Stormpath specific approach as outlined in the events section of Stormpath's Spring Boot docs, i.e. using RequestEventListenerAdapter as you mention.

This works fine - so I will stick with this - but the original bug still stands, i.e. that the standard Spring Security approach that used to work in the RC releases no longer works in the 1.X releases.

But I'd rate this low priority now that you've pointed me at an alternative solution.

george-hawkins-work avatar Aug 15 '16 12:08 george-hawkins-work

This will be Indirectly fixed by #915

mrioan avatar Aug 17 '16 00:08 mrioan

This is indirectly fixed by PR #919. That PR has a test to validate the events are received when Spring Security Filter is in front of Stormpath.

mrioan avatar Aug 17 '16 20:08 mrioan

A first approach to this issue was implemented in https://github.com/stormpath/stormpath-sdk-java/pull/919 but it was closed now as it is very out of date now

mrioan avatar Nov 10 '16 13:11 mrioan