Describe the bug
Given an AuthenticationManager hierarchy, an AuthenticationException from a child AuthenticationManager is not being published as an AbstractAuthenticationFailureEvent.
What gets published is always the AuthenticationException from the parent AuthenticationManager.
However, that may be a ProviderNotFoundException hiding the actual AuthenticationException from the child AuthenticationManager.
To Reproduce
I tried to come up with a minimal repro sample with form and ott login.
With this setup, DaoAuthenticationProvider is registered with a parent ProviderManager and OneTimeTokenAuthenticationProvider is registered with a child ProviderManager.
- run the sample app
- login as
user / auto-generated password (console)
- request a one-time-token
- use the one-time-token-link (console)
- add/remove some characters from the token value making the token invalid
- submit the invalid token
- login page correctly shows "Invalid credentials" (i.e.
InvalidOneTimeTokenException)
- but log output from
AuthenticationEventListener shows:
2026-07-10T07:47:11.634+02:00 INFO 928441 --- [demo] [io-8080-exec-10] c.e.demo.AuthenticationEventListener : Authentication Failure Event: org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent[source=OneTimeTokenAuthenticationToken [Principal=null, Credentials=[PROTECTED], Authenticated=false, Details=null, Granted Authorities=[]]]
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:248) ~[spring-security-core-7.1.0.jar:7.1.0]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:215) ~[spring-security-core-7.1.0.jar:7.1.0]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.attemptAuthentication(AbstractAuthenticationProcessingFilter.java:363) ~[spring-security-web-7.1.0.jar:7.1.0]
Expected behavior
If a child AuthenticationManager produces a specific AuthenticationException, and the parent AuthenticationManager throws a ProviderNotFoundException, I would expect the specific child AuthenticationException to be published as AbstractAuthenticationFailureEvent and not the parent ProviderNotFoundException.
note that ProviderManager already seems to respect that logic regarding the actual exception propagation, it just seems to be missing for the event publishing:
https://github.com/spring-projects/spring-security/blob/7.1.0/core/src/main/java/org/springframework/security/authentication/ProviderManager.java#L212-L228
Sample
https://github.com/zyro23/spring-security-19434
thanks & regards.
Describe the bug
Given an
AuthenticationManagerhierarchy, anAuthenticationExceptionfrom a childAuthenticationManageris not being published as anAbstractAuthenticationFailureEvent.What gets published is always the
AuthenticationExceptionfrom the parentAuthenticationManager.However, that may be a
ProviderNotFoundExceptionhiding the actualAuthenticationExceptionfrom the childAuthenticationManager.To Reproduce
I tried to come up with a minimal repro sample with form and ott login.
With this setup,
DaoAuthenticationProvideris registered with a parentProviderManagerandOneTimeTokenAuthenticationProvideris registered with a childProviderManager.user/ auto-generated password (console)InvalidOneTimeTokenException)AuthenticationEventListenershows:Expected behavior
If a child
AuthenticationManagerproduces a specificAuthenticationException, and the parentAuthenticationManagerthrows aProviderNotFoundException, I would expect the specific childAuthenticationExceptionto be published asAbstractAuthenticationFailureEventand not the parentProviderNotFoundException.note that
ProviderManageralready seems to respect that logic regarding the actual exception propagation, it just seems to be missing for the event publishing:https://github.com/spring-projects/spring-security/blob/7.1.0/core/src/main/java/org/springframework/security/authentication/ProviderManager.java#L212-L228
Sample
https://github.com/zyro23/spring-security-19434
thanks & regards.