SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Update AuthenticationManagerBeanDefinitionParser to register a DefaultAuthenticationeventPublisher and set it on the registered ProviderManager.

config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java

@@ -14,6 +14,7 @@ import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.NamespaceHandlerResolver;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.core.Authentication;
@@ -72,6 +73,11 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition
         }
 
         providerManagerBldr.addPropertyValue("providers", providers);
+        // Add the default event publisher
+        BeanDefinition publisher = new RootBeanDefinition(DefaultAuthenticationEventPublisher.class);
+        String id = pc.getReaderContext().registerWithGeneratedName(publisher);
+        pc.registerBeanComponent(new BeanComponentDefinition(publisher, id));
+        providerManagerBldr.addPropertyReference("authenticationEventPublisher", id);
 
         BeanDefinition authManager = providerManagerBldr.getBeanDefinition();
         pc.getRegistry().registerBeanDefinition(BeanIds.AUTHENTICATION_MANAGER, authManager);

config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java

@@ -1,11 +1,20 @@
 package org.springframework.security.config.authentication;
 
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.*;
+
+import java.util.ArrayList;
+import java.util.List;
 
 import org.junit.Test;
+import org.springframework.context.ApplicationListener;
 import org.springframework.context.support.AbstractXmlApplicationContext;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.util.FieldUtils;
 
 /**
  *
@@ -13,23 +22,48 @@ import org.springframework.security.config.util.InMemoryXmlApplicationContext;
  * @version $Id$
  */
 public class AuthenticationManagerBeanDefinitionParserTests {
+    private static final String CONTEXT =
+              "<authentication-manager>" +
+              "    <authentication-provider>" +
+              "        <user-service>" +
+              "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />" +
+              "        </user-service>" +
+              "    </authentication-provider>" +
+              "</authentication-manager>";
     private AbstractXmlApplicationContext appContext;
 
     @Test
     // SEC-1225
     public void providersAreRegisteredAsTopLevelBeans() throws Exception {
-        setContext(
-          "<authentication-manager>" +
-          "    <authentication-provider>" +
-          "        <user-service>" +
-          "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />" +
-          "        </user-service>" +
-          "    </authentication-provider>" +
-          "</authentication-manager>", "3.0");
+        setContext(CONTEXT, "3.0");
         assertEquals(1, appContext.getBeansOfType(AuthenticationProvider.class).size());
     }
 
+    @Test
+    public void eventsArePublishedByDefault() throws Exception {
+        setContext(CONTEXT, "3.0");
+        AuthListener listener = new AuthListener();
+        appContext.addApplicationListener(listener);
+        appContext.refresh();
+
+        ProviderManager pm = (ProviderManager) appContext.getBeansOfType(ProviderManager.class).values().toArray()[0];
+        Object eventPublisher = FieldUtils.getFieldValue(pm, "eventPublisher");
+        assertNotNull(eventPublisher);
+        assertTrue(eventPublisher instanceof DefaultAuthenticationEventPublisher);
+
+        pm.authenticate(new UsernamePasswordAuthenticationToken("bob", "bobspassword"));
+        assertEquals(1, listener.events.size());
+    }
+
     private void setContext(String context, String version) {
         appContext = new InMemoryXmlApplicationContext(context, version, null);
     }
+
+    private static class AuthListener implements ApplicationListener<AbstractAuthenticationEvent> {
+        List<AbstractAuthenticationEvent> events = new ArrayList<AbstractAuthenticationEvent>();
+
+        public void onApplicationEvent(AbstractAuthenticationEvent event) {
+            events.add(event);
+        }
+    }
 }

core/src/main/java/org/springframework/security/authentication/DefaultAuthenticationEventPublisher.java

@@ -24,7 +24,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.util.Assert;
 
 /**
- * The default strategy used by <tt>ProviderManager</tt> for publishing authentication events.
+ * The default strategy for publishing authentication events.
  * <p>
  * Maps well-known <tt>AuthenticationException</tt> types to events and publishes them via the
  * application context. If configured as a bean, it will pick up the <tt>ApplicationEventPublisher</tt> automatically.