What is the difference between registering an authenticationprovider with HttpSecurity vs...

WebSecurityConfigurerAdapter offers two overrides as follows:

protected void configure(AuthenticationManagerBuilder auth)

and

protected void configure(HttpSecurity http)

Both HttpSecurity and AuthenticationManagerBuilder offer registration for authenticationProviders. Is there any difference between registering my providers with one vs the other?

I'm also using Spring boot 2.1 with @SpringBootApplication(exclude = SecurityAutoConfiguration.class) to turn off their autoconfig completely.

asked Nov 21 at 2:03

Jazzepi

2,79943462

add a comment |

WebSecurityConfigurerAdapter offers two overrides as follows:

protected void configure(AuthenticationManagerBuilder auth)

and

protected void configure(HttpSecurity http)

Both HttpSecurity and AuthenticationManagerBuilder offer registration for authenticationProviders. Is there any difference between registering my providers with one vs the other?

I'm also using Spring boot 2.1 with @SpringBootApplication(exclude = SecurityAutoConfiguration.class) to turn off their autoconfig completely.

asked Nov 21 at 2:03

Jazzepi

2,79943462

add a comment |

WebSecurityConfigurerAdapter offers two overrides as follows:

protected void configure(AuthenticationManagerBuilder auth)

and

protected void configure(HttpSecurity http)

Both HttpSecurity and AuthenticationManagerBuilder offer registration for authenticationProviders. Is there any difference between registering my providers with one vs the other?

I'm also using Spring boot 2.1 with @SpringBootApplication(exclude = SecurityAutoConfiguration.class) to turn off their autoconfig completely.

asked Nov 21 at 2:03

Jazzepi

2,79943462

WebSecurityConfigurerAdapter offers two overrides as follows:

protected void configure(AuthenticationManagerBuilder auth)

and

protected void configure(HttpSecurity http)

Both HttpSecurity and AuthenticationManagerBuilder offer registration for authenticationProviders. Is there any difference between registering my providers with one vs the other?

I'm also using Spring boot 2.1 with @SpringBootApplication(exclude = SecurityAutoConfiguration.class) to turn off their autoconfig completely.

spring-boot spring-security

asked Nov 21 at 2:03

Jazzepi

2,79943462

asked Nov 21 at 2:03

Jazzepi

2,79943462

asked Nov 21 at 2:03

Jazzepi

2,79943462

asked Nov 21 at 2:03

Jazzepi

2,79943462

asked Nov 21 at 2:03

Jazzepi

2,79943462

add a comment |

1 Answer
1

active

oldest

votes

From Spring Security Architecture

The main strategy interface for authentication is
AuthenticationManager [...]

The most commonly used implementation of AuthenticationManager is
ProviderManager, which delegates to a chain of
AuthenticationProvider instances. An AuthenticationProvider is a
bit like an AuthenticationManager [...]

A ProviderManager can support multiple different authentication
mechanisms in the same application by delegating to a chain of
AuthenticationProviders. If a ProviderManager doesn’t recognise a
particular Authentication instance type it will be skipped.

A ProviderManager has an optional parent, which it can consult if
all providers return null. If the parent is not available then a null
Authentication results in an AuthenticationException.

enter image description here

Generally speaking WebSecurityConfigurerAdapter provides configuration for HttpSecurity apart from Filter's configuration (like UsernamePasswordAuthenticationFilter, LogoutFilter etc.) it's also creates and configures (adding AuthenticationProviders and parent AuthenticationManager) AuthenticationManagers in HttpSecurity by using AuthenticationManagerBuilder.

WebSecurityConfigurerAdapter will create only one AuthenticationManager for HttpSecurity. However AuthenticationManager has its own AuthenticationProviders and its own optional parent AuthenticationProvider. When you are doing http.authenticationProvider(...) you are adding new AuthenticationProvider to the AuthenticationManager which belong to that http. By using configure(AuthenticationManagerBuilder auth) you are configuring AuthenticationManager which is the parent of the AuthenticationManager which belongs to that particular HttpSecurity.

Spring is providing default configuration for the parent of that particular AuthenticationManager, but by using configure(AuthenticationManagerBuilder auth) you are rejecting spring's configuration in favour of your (auth).

edited Nov 23 at 10:49

answered Nov 23 at 10:40

Andrew Sasha

409212

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53404327%2fwhat-is-the-difference-between-registering-an-authenticationprovider-with-httpse%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

From Spring Security Architecture

The main strategy interface for authentication is
AuthenticationManager [...]

The most commonly used implementation of AuthenticationManager is
ProviderManager, which delegates to a chain of
AuthenticationProvider instances. An AuthenticationProvider is a
bit like an AuthenticationManager [...]

A ProviderManager can support multiple different authentication
mechanisms in the same application by delegating to a chain of
AuthenticationProviders. If a ProviderManager doesn’t recognise a
particular Authentication instance type it will be skipped.

A ProviderManager has an optional parent, which it can consult if
all providers return null. If the parent is not available then a null
Authentication results in an AuthenticationException.

enter image description here

edited Nov 23 at 10:49

answered Nov 23 at 10:40

Andrew Sasha

409212

add a comment |

From Spring Security Architecture

The main strategy interface for authentication is
AuthenticationManager [...]

The most commonly used implementation of AuthenticationManager is
ProviderManager, which delegates to a chain of
AuthenticationProvider instances. An AuthenticationProvider is a
bit like an AuthenticationManager [...]

A ProviderManager can support multiple different authentication
mechanisms in the same application by delegating to a chain of
AuthenticationProviders. If a ProviderManager doesn’t recognise a
particular Authentication instance type it will be skipped.

A ProviderManager has an optional parent, which it can consult if
all providers return null. If the parent is not available then a null
Authentication results in an AuthenticationException.

enter image description here

edited Nov 23 at 10:49

answered Nov 23 at 10:40

Andrew Sasha

409212

add a comment |

From Spring Security Architecture

The main strategy interface for authentication is
AuthenticationManager [...]

The most commonly used implementation of AuthenticationManager is
ProviderManager, which delegates to a chain of
AuthenticationProvider instances. An AuthenticationProvider is a
bit like an AuthenticationManager [...]

A ProviderManager can support multiple different authentication
mechanisms in the same application by delegating to a chain of
AuthenticationProviders. If a ProviderManager doesn’t recognise a
particular Authentication instance type it will be skipped.

A ProviderManager has an optional parent, which it can consult if
all providers return null. If the parent is not available then a null
Authentication results in an AuthenticationException.

enter image description here

edited Nov 23 at 10:49

answered Nov 23 at 10:40

Andrew Sasha

409212

From Spring Security Architecture

The main strategy interface for authentication is
AuthenticationManager [...]

The most commonly used implementation of AuthenticationManager is
ProviderManager, which delegates to a chain of
AuthenticationProvider instances. An AuthenticationProvider is a
bit like an AuthenticationManager [...]

A ProviderManager can support multiple different authentication
mechanisms in the same application by delegating to a chain of
AuthenticationProviders. If a ProviderManager doesn’t recognise a
particular Authentication instance type it will be skipped.

A ProviderManager has an optional parent, which it can consult if
all providers return null. If the parent is not available then a null
Authentication results in an AuthenticationException.

enter image description here

edited Nov 23 at 10:49

answered Nov 23 at 10:40

Andrew Sasha

409212

edited Nov 23 at 10:49

answered Nov 23 at 10:40

Andrew Sasha

409212

answered Nov 23 at 10:40

Andrew Sasha

409212

answered Nov 23 at 10:40

Andrew Sasha

409212

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Tukukkk