Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AuthenticationSuccessEvent fires multiple times with OAuth2 Resource Server

See original GitHub issue

AuthenticationSuccessEvent seems to be fired multiple times for single requests. Not sure if this is expected behavior or not, I will try to create a stripped down app to demonstrate. I just wanted to make sure that this wouldn’t be intended behavior. Code configuration is below in Kotlin:

@EnableWebSecurity
class WebSecurityConfiguration: WebSecurityConfigurerAdapter() {
    /**
     * Spring Authentication Manager
     */
    @Bean
    override fun authenticationManager(): AuthenticationManager {
        return super.authenticationManager()
    }
}

@Configuration
@EnableResourceServer
@EnableWebSecurity
@Order(-1)
class ResourceServerConfig(private val authenticationProvider: MongoDBAuthenticationProvider) : ResourceServerConfigurerAdapter() {
    // Constants
    private val antPatternsForAllUsers = arrayOf("/actuator/**")

    @Autowired
    fun configureGlobal(auth: AuthenticationManagerBuilder) {
        auth.authenticationProvider(authenticationProvider)
    }

    override fun configure(http: HttpSecurity) {
        http
                .addFilterBefore(CorsFilter(), SessionManagementFilter::class.java)
                .authorizeRequests().antMatchers(*antPatternsForAllUsers).permitAll().and()
                .authorizeRequests().anyRequest().authenticated().and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .csrf().disable()
    }
}



@Component
class AuthListener {

    @EventListener
    fun authenticationFailed(event: OAuth2AuthenticationFailureEvent) {
        System.out.println("OAuth2AuthenticationFailureEvent")
    }

    @EventListener
    fun authenticationSucceeded(event: AuthenticationSuccessEvent) {
        System.out.println("AuthenticationSuccessEvent " + event.toString())
    }

    @EventListener fun authenticationFailed(event: AuthenticationFailureBadCredentialsEvent) {
        System.out.println("AuthenticationFailureBadCredentialsEvent " + event.toString())
    }
}

Issue Analytics

State:
Created 5 years ago
Comments:10 (4 by maintainers)

Top GitHub Comments

10reactions

amirensitcommented, Sep 11, 2019

Sorry for commenting on closed issue But I have a solution that worked for me. ( Using the debugging mode ):

For the Client authentication: authenticationSuccessEvent.getSource() is an instance of OAuth2Authentication.
For the User authentication: authenticationSuccessEvent.getSource() is an instance of UsernamePasswordAuthenticationToken.

So to execute logic only after user authentication :

@Component
public class AuthenticationSuccessEventListener implements ApplicationListener<AuthenticationSuccessEvent> {
   
   @Override
   public void onApplicationEvent(AuthenticationSuccessEvent authenticationSuccessEvent) {
       if (authenticationSuccessEvent.getSource() instanceof UsernamePasswordAuthenticationToken) {
               // the logic here
       }
   }
}

I hope It helps.

1reaction

eranf91commented, Jun 14, 2019

I know that this issue is closed but it seems to be relevant for the latest version of spring security at the moment. I think that the events should be separated.