Combination of UsernamePasswordAuthenticationFilter and form login not working in SB 3.x that worked in SB2

[ottlinger]

Context

I do use a UsernamePasswordAuthenticationFilter with 3 login parts (tenant, username, password) in combination with a form-based login. This worked perfectly fine in SB2 / 2.7.14.

When I tried to migrate to SB 3.x the login stopped working at all. I'm unable to login/logout.

Reproducer app

I've extracted the main application parts into a separate project:
sb3-filter-problem

The submodule sb2 contains the working SB2 application (2.7.14), while sb3 uses SB 3.2.0-M1.
I followed the docs to configure the login. As the way the authenticationManager is wired in changed, I use an my AbstractHttpConfigurer to add the filter.
Apart from that a SimpleUrlLogoutSuccessHandler is used to perform actions upon logout.

Further information and quicklinks into the example app can be found in its README

Quicklinks to show the difference between SB2 and SB3

Description	SB2 - 2.7.14	SB3 - 3.2.0-M1	Status SB2	Status SB3
ApplicationUser to encapsulate tenant, user, password for login	ApplicationUser	ApplicationUser	👍 working	👍 working
LoginTenantAuthenticationFilter (UsernamePasswordAuthenticationFilter) to extract data upon login	LoginTenantAuthenticationFilter	LoginTenantAuthenticationFilter	👍 working	👍 working
Filter configuration	AuthenticationConfiguration	Sb3CustomDsl	👍 working	🔥 not working
Authentication configuration	AuthenticationConfiguration	AuthenticationConfiguration	👍 working	🔥 not working
SimpleUrlLogoutSuccessHandler to trigger actions upon logout	LeaveEventsUponLogoutSuccessHandler	LeaveEventsUponLogoutSuccessHandler	👍 working	🔥 not working

Steps already taken

I already tried to submit a StackOverflow question, but unfortunately no working answers were provided. If I remove the configuration of the form-based login, the app does not show any login screen anymore.

As I'm unable to find any reference to a working example that combines a separate 3-part-login and form-based user authentication I file this issue. Maybe there has been a regression or just a lack of documentation, which my reproducer app may provide.

Thanks for any feedback and I'm willing to contribute my reproducer app in case it helps other users to avoid the problems I'm facing at the moment.

[sjohnr]

Question appears answered per update.

[ottlinger]

@sjohnr If you have a closer a look at the changes it should be clear, that this is most probably still a bug on the spring-side, but I assume that not a great many of people work with the extension of the UsernamePasswordFilter and thus may run into the troubles that I've experienced.
As usual the docs do not cover the use case that extends the filtering mechanism and thus exposes the problem that the underlying securityContextRepository is wrongly wired and blocks authentication.

[sjohnr]

I'm sorry to hear you are having trouble extending UsernamePasswordAuthenticationFilter for your needs @ottlinger.

this is most probably still a bug on the spring-side

If you believe there is a bug, please write it up clearly and concisely. This issue was asked as a question on stackoverflow, which points to a GitHub repository containing months of history and discovery and a note that the issue was solved. Please take those learnings and distill it into a minimal, reproducible sample to demonstrate any bug you have found.

As usual the docs do not cover the use case that extends the filtering mechanism

I'm not sure what's meant by this comment but please be constructive in your feedback as we always strive to improve the documentation and constructive feedback is more helpful than criticism. If you feel an improvement can be made, please be specific and provide suggestions for improvement.

[ottlinger]

@sjohnr sorry for the misunderstanding - the motivation behind this whole project was to show the difference between SB2 and SB3. When I tried to file bugs with spring-boot these tickets were closed within minutes, which led me to the conclusion that no-one read the example app or had a look at the code itself.
This led to a certain level of frustration on my side as I was not able to solve my problem until the contribution from GlenErrands.