AuthenticationFailureCredentialsExpiredEvent not fired

[darkwieseljedi]

I am using spring.security.version = 3.1.0.RELEASE. The problem I am having is that for some reason AuthenticationFailureCredentialsExpiredEvent is not fired.

While debugging the code I found that AbstractUserDetailsAuthenticationProvider do display in the console that "User account credentials have expired". But I am still baffling as to why the event in concern is not triggered.

Here is my code:

Code:

class JpaUserDetails implements UserDetails {
...
...
   @Override
   public boolean isCredentialsNonExpired() {
       if (some logic) {
           return true;
       }
       else {
           return false;
       }
   }
}

I do see AbstractUserDetailsAuthenticationProvider displaying in the console "User account credentials have expired" from the following lines of spring code:

Code:

public abstract class AbstractUserDetailsAuthenticationProvider implements AuthenticationProvider, InitilizeBean, MessageSourceAware {
...
...
    private class DefaultPostAuthenticationChecks implements UserDetailsChecker {
        public void check(UserDetails user) {
            if(!user.isCredentialsNonExpired()) {
                logger.debug("User account credentials have expired");
                throw new CredentialsExpiredException(message.getMessage(
                          "AbstractUserDetailsAuthenticationProvider.credentialsExpired",
                          "User credentials have expired"), user);
            }
        }
    }
}

The issue is that when the user credentials have expired, I am expecting the Spring to generate the event AuthenticationFailureCredentialsExpiredEvent which I am handling in the following way:

Code:

class SecurityEventDispatcher implements ApplicationListener<ApplicationEvent> {
    final List<SecurityEventListener> listeners = new ArrayList<SecurityEventListener>();

    public void registerListener(SecurityEventListener listener) {
        this.listener.add(listener);
    }

    public void onApplicationEvent(ApplicationEvent event) {
        for (SecurityEventListener listener : this.listeners) {
            if(listener.canHandle(event)) {
                listener.handle(event);
            }
        }
    }
}

This is how I am handling the login failure event:

Code:

public class LoginFailedEvent extends SecurityEventListener {

    @Override
    public boolean canHandle(Object event) {
        if(event instanceof AbstractAuthenticationFailureEvent) {
            return true;
        }
        else {
            return false;
        }
    }

    @Override
    public void handle(Object event) {
        if (event instanceof AuthenticationFailureBadCredentialsEvent) {
            // do something
        }

        if (event instanceof AuthenticationFailureCredentialsExpiredEvent) {
            // do something
        }
    }
}

The issue as I mentioned before is that AuthenticationFailureCredentialsExpiredEvent is never fired. I have tested the AuthenticationFailureBadCredentialsEvent which works fine.

Does anyone have any idea what could be wrong? Any help will be highly appreciated.

[Rob Winch]

You probably need to set the ProviderManager's (<authentication-manager>'s) eventPublisher to be something other than NullEventPublisher. There is not a simple way to do this via the <authentication-manager> tag, so you will want to create the AuthenticationProvider using standard beans configuration and inject it into a standard Spring Bean for the ProviderManager.