I am working on Spring Security Java-based configuration.
I have created my own MyAuthenticationProvider
which I want to register in the ProviderManager
(single instance of AuthenticationManager
).
I have found that ProviderManager
has a list of providers to which I can register my single
MyAuthenticationProvider
.
Here is the part of my Configuration:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(MyAuthenticationProvider);
}
}
I found out that AuthenticationManagerBuilder
has parentAuthenticationManager
, defaultUserDetailsService
and many other fields.
My questions are:
- Where is this
@Autowired
annotation addingAuthenticationManagerBuilder
auth from?
Is theAuthenticationManagerBuilder
already created in the application context? - What would be the default state of
AuthenticationManagerBuilder
which is being injected? By default state I mean will there be someparentAuthenticationManager
,authenticationProvider
s already registered in theAuthenticationManagerBuilder
? - If I am adding
auth.authenticationProvider(MyAuthenticationProvider)
, does this mean that I am adding one more provider in theAuthenticationManagerBuilder
? -
What does this mean? Taken from Spring Documentation
The name of the configureGlobal method is not important. However, it
is important to only configure AuthenticationManagerBuilder in a class
annotated with either @EnableWebSecurity, @EnableWebMvcSecurity,
@EnableGlobalMethodSecurity, or @EnableGlobalAuthentication. Doing
otherwise has unpredictable results.
Best Answer
Answer for 1:
@EnableWebSecurity
is meta-annotated with@EnableGlobalAuthentication
and
@EnableGlobalAuthentication
importsAuthenticationConfiguration
:In
AuthenticationConfiguration
, you'll see that anAuthenticationManagerBuilder
bean is declared:When you
@Autowire
anAuthenticationManagerBuilder
, this is the one that you will get. You have several methods at your disposal to easily configure in-memory, jdbc, ldap,... authentication.Answer for 2:
Background:
The Spring Security Java config goes through several stages to seamlessly incorporate your configurations with the
ApplicationContext
.One place where this comes together is in thegetHttp()
method inWebSecurityConfigurerAdapter
.For example, this is an excerpt:
To give you an idea of how "not-straightforward" the sequence of configuration is, the authenticationManager variable above will be either:
configure(AuthenticationManagerBuilder auth)
@Autowired
theAuthenticationManagerBuilder
bean from AuthenticationConfigurationIf you look at
AuthenticationConfiguration
, you'll see that by default, theInitializeUserDetailsBeanManagerConfigurer
is applied to theAuthenticationManagerBuilder
bean. As long as it finds aUserDetailsService
bean in the context and no other provider has been added, it will add aDaoAuthenticationProvider
. This is why in the Spring Security reference, only providing a @BeanUserDetailsService
bean is sufficient.But once you add an authentication provider as you did, the "default" provider is not registered.