Add debug messages for auth exceptions in ProviderManager

Tejas-Teju · jzheaux · commit 291162a1955b · 2025-02-14T16:01:22.000-07:00
Issue gh-16484 Signed-off-by: tejas-teju <tejas8196@gmail.com>
diff --git a/core/src/main/java/org/springframework/security/authentication/ProviderManager.java b/core/src/main/java/org/springframework/security/authentication/ProviderManager.java
@@ -185,13 +185,25 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					break;
 				}
 			}
-			catch (AccountStatusException | InternalAuthenticationServiceException ex) {
+			catch (AccountStatusException ex) {
 				prepareException(ex, authentication);
+				logger.debug(LogMessage.format("Authentication failed for user '%s' since account status is %s",
+						authentication.getName(), ex.getMessage()));
+				// SEC-546: Avoid polling additional providers if auth failure is due to
+				// invalid account status
+				throw ex;
+			}
+			catch (InternalAuthenticationServiceException ex) {
+				prepareException(ex, authentication);
+				logger.debug(LogMessage.format(
+						"Authentication failed due to an internal authentication service error: %s", ex.getMessage()));
 				// SEC-546: Avoid polling additional providers if auth failure is due to
 				// invalid account status
 				throw ex;
 			}
 			catch (AuthenticationException ex) {
+				logger.debug(LogMessage.format("Authentication failed with provider %s since %s",
+						provider.getClass().getSimpleName(), ex.getMessage()));
 				lastException = ex;
 			}
 		}
@@ -241,6 +253,13 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		if (parentException == null) {
 			prepareException(lastException, authentication);
 		}
+
+		// Ensure this message is not logged when authentication is attempted by
+		// the parent provider
+		if (this.parent != null) {
+			logger.debug("Denying authentication since all attempted providers failed");
+		}
+
 		throw lastException;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -185,13 +185,25 @@ public Authentication authenticate(Authentication authentication) throws Authent`
`185`	`185`	`break;`
`186`	`186`	`}`
`187`	`187`	`}`
`188`		`- catch (AccountStatusException \| InternalAuthenticationServiceException ex) {`
	`188`	`+ catch (AccountStatusException ex) {`
`189`	`189`	`prepareException(ex, authentication);`
	`190`	`+ logger.debug(LogMessage.format("Authentication failed for user '%s' since account status is %s",`
	`191`	`+ authentication.getName(), ex.getMessage()));`
	`192`	`+ // SEC-546: Avoid polling additional providers if auth failure is due to`
	`193`	`+ // invalid account status`
	`194`	`+ throw ex;`
	`195`	`+ }`
	`196`	`+ catch (InternalAuthenticationServiceException ex) {`
	`197`	`+ prepareException(ex, authentication);`
	`198`	`+ logger.debug(LogMessage.format(`
	`199`	`+ "Authentication failed due to an internal authentication service error: %s", ex.getMessage()));`
`190`	`200`	`// SEC-546: Avoid polling additional providers if auth failure is due to`
`191`	`201`	`// invalid account status`
`192`	`202`	`throw ex;`
`193`	`203`	`}`
`194`	`204`	`catch (AuthenticationException ex) {`
	`205`	`+ logger.debug(LogMessage.format("Authentication failed with provider %s since %s",`
	`206`	`+ provider.getClass().getSimpleName(), ex.getMessage()));`
`195`	`207`	`lastException = ex;`
`196`	`208`	`}`
`197`	`209`	`}`
`@@ -241,6 +253,13 @@ public Authentication authenticate(Authentication authentication) throws Authent`
`241`	`253`	`if (parentException == null) {`
`242`	`254`	`prepareException(lastException, authentication);`
`243`	`255`	`}`
	`256`	`+`
	`257`	`+ // Ensure this message is not logged when authentication is attempted by`
	`258`	`+ // the parent provider`
	`259`	`+ if (this.parent != null) {`
	`260`	`+ logger.debug("Denying authentication since all attempted providers failed");`
	`261`	`+ }`
	`262`	`+`
`244`	`263`	`throw lastException;`
`245`	`264`	`}`
`246`	`265`