From 291162a1955b61891445c70279f6dba73dd2c244 Mon Sep 17 00:00:00 2001
From: tejas-teju <tejas8196@gmail.com>
Date: Wed, 12 Feb 2025 05:32:20 +0530
Subject: [PATCH] Add debug messages for auth exceptions in ProviderManager

Issue gh-16484

Signed-off-by: tejas-teju <tejas8196@gmail.com>
---
 .../authentication/ProviderManager.java       | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/springframework/security/authentication/ProviderManager.java b/core/src/main/java/org/springframework/security/authentication/ProviderManager.java
index a09283b08c..303444cc6b 100644
--- a/core/src/main/java/org/springframework/security/authentication/ProviderManager.java
+++ b/core/src/main/java/org/springframework/security/authentication/ProviderManager.java
@@ -185,13 +185,25 @@ public class ProviderManager implements AuthenticationManager, MessageSourceAwar
 					break;
 				}
 			}
-			catch (AccountStatusException | InternalAuthenticationServiceException ex) {
+			catch (AccountStatusException ex) {
 				prepareException(ex, authentication);
+				logger.debug(LogMessage.format("Authentication failed for user '%s' since account status is %s",
+						authentication.getName(), ex.getMessage()));
+				// SEC-546: Avoid polling additional providers if auth failure is due to
+				// invalid account status
+				throw ex;
+			}
+			catch (InternalAuthenticationServiceException ex) {
+				prepareException(ex, authentication);
+				logger.debug(LogMessage.format(
+						"Authentication failed due to an internal authentication service error: %s", ex.getMessage()));
 				// SEC-546: Avoid polling additional providers if auth failure is due to
 				// invalid account status
 				throw ex;
 			}
 			catch (AuthenticationException ex) {
+				logger.debug(LogMessage.format("Authentication failed with provider %s since %s",
+						provider.getClass().getSimpleName(), ex.getMessage()));
 				lastException = ex;
 			}
 		}
@@ -241,6 +253,13 @@ public class ProviderManager implements AuthenticationManager, MessageSourceAwar
 		if (parentException == null) {
 			prepareException(lastException, authentication);
 		}
+
+		// Ensure this message is not logged when authentication is attempted by
+		// the parent provider
+		if (this.parent != null) {
+			logger.debug("Denying authentication since all attempted providers failed");
+		}
+
 		throw lastException;
 	}