Multiple WebSeciurityConfig in one Spring application

Question

We are maintaining two versions of our application from security perspective

1. SAML based spring security 
2. Spring and JDBC based application security.

As some of our customers already have SAML IDP (like ADFS and GLUU) which they want us to integrate for SSO and some customer doesn't have SAML IDP.

Is there a way that both configurations can coexist and based on the customer using the application, security is imposed on the user.

For ex: if the request is coming for customer a.myserverhost.com SAML based security configurations are imposed. and if the request is form b.myserverhost.com the other webSeciurityConfig is imposed

Answer 1

Yes, all of this is possible. What I would suggest is implementing your own AuthenticationManager which manages multiple AuthenticationProviders (e.g. SAML, JDBC).

That's where you can insert your conditional logic for choosing the correct provider based on certain criteria.

For inspiration, look at the default implementation ProviderManager.

Out of the box the ProviderManager will iterate over all of your AuthenticationProviders and attempt to authenticate the User. If it doesn't find the User it moves on to the next one. If that's all you need then you don't need any custom implementations.