Skip to content

child AuthenticationManager AuthenticationException not published as AbstractAuthenticationFailureEvent #19434

Description

@zyro23

Describe the bug
Given an AuthenticationManager hierarchy, an AuthenticationException from a child AuthenticationManager is not being published as an AbstractAuthenticationFailureEvent.

What gets published is always the AuthenticationException from the parent AuthenticationManager.
However, that may be a ProviderNotFoundException hiding the actual AuthenticationException from the child AuthenticationManager.

To Reproduce
I tried to come up with a minimal repro sample with form and ott login.
With this setup, DaoAuthenticationProvider is registered with a parent ProviderManager and OneTimeTokenAuthenticationProvider is registered with a child ProviderManager.

  • run the sample app
  • login as user / auto-generated password (console)
  • request a one-time-token
  • use the one-time-token-link (console)
  • add/remove some characters from the token value making the token invalid
  • submit the invalid token
  • login page correctly shows "Invalid credentials" (i.e. InvalidOneTimeTokenException)
    • but log output from AuthenticationEventListener shows:
2026-07-10T07:47:11.634+02:00  INFO 928441 --- [demo] [io-8080-exec-10] c.e.demo.AuthenticationEventListener     : Authentication Failure Event: org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent[source=OneTimeTokenAuthenticationToken [Principal=null, Credentials=[PROTECTED], Authenticated=false, Details=null, Granted Authorities=[]]]

org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:248) ~[spring-security-core-7.1.0.jar:7.1.0]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:215) ~[spring-security-core-7.1.0.jar:7.1.0]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.attemptAuthentication(AbstractAuthenticationProcessingFilter.java:363) ~[spring-security-web-7.1.0.jar:7.1.0]

Expected behavior
If a child AuthenticationManager produces a specific AuthenticationException, and the parent AuthenticationManager throws a ProviderNotFoundException, I would expect the specific child AuthenticationException to be published as AbstractAuthenticationFailureEvent and not the parent ProviderNotFoundException.

note that ProviderManager already seems to respect that logic regarding the actual exception propagation, it just seems to be missing for the event publishing:
https://github.com/spring-projects/spring-security/blob/7.1.0/core/src/main/java/org/springframework/security/authentication/ProviderManager.java#L212-L228

Sample

https://github.com/zyro23/spring-security-19434

thanks & regards.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions