CODEWITHSUNDEEP
springauthenticationspring-securityspring-boot
John
John

Reputation: 1360

spring security not able to add custom authentication providers

I have created additional authentication providers. I am registering them like following:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(tokenAP());
        auth.authenticationProvider(usernameAndPasswordAP());
        auth.userDetailsService(getUserDetailsService());
    }

Later in my code I am using AuthenticationManager to authenticate users. The issue is that I have only one authentication provider registered in authentication manager which is DaoAuthenticationProvider. It looks like my authentication providers are not registered at all. Should I do some additional config to make it work? I am using spring boot 1.2.6 Thanks in advance for any tips. Best Regards

Upvotes: 0

Views: 1161

Answers (2)

ikumen
ikumen

Reputation: 11643

When you override the configure(AuthenticationManagerBuilder auth), the underlying AuthenticationManager is exposed in one of 2 ways:

1) within SecurityConfig, you can simply call authenticationManager()

2) if you need AuthenticationManager outside of your SecurityConfig you will need to expose it as a bean, for example:

class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(tokenAP());
        auth.authenticationProvider(usernameAndPasswordAP());
        auth.userDetailsService(getUserDetailsService());
    }

   @Bean
   @Override
   public AuthenticationManager authenticationManagerBean() throws Exception {
     return super.authenticationManagerBean();
   }
}

Upvotes: 2

J. Gregory Wright
J. Gregory Wright

Reputation: 406

The way we have authentication providers configured in our Spring Boot web applications is similar to what is discussed in the example Spring Security Java configuration from the current release reference guide, which modifies the default autowired AuthenticationManagerBuilder. Using your methods, it might look like:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
  auth.authenticationProvider(tokenAP())
    .authenticationProvider(usernameAndPasswordAP())
    .userDetailsService(getUserDetailsService());
}

If I am reading the Javadocs for the configure(AuthenticationManagerBuilder) method correctly, when you override this method you must specify your own AuthenticationManager. By using the autowired instance as described above, the default AuthenticationManager (which is ProviderManager, which in turn delegates to one or more configured AuthorizationProvider instances).

You may also need to annotate your configuration class with:

@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)

So that your access control rules are applied before the defaults that Spring Boot will otherwise configure for you.

Upvotes: 1

Related Questions