Prevent spring security to authenticate users whom has BadCredentialException via next authentication provider

Question

I config spring security with multiple authentication provider:

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="testUser" password="TestPwd"
              authorities="ROLE_USER" />
        </security:user-service>
    </security:authentication-provider>
    <security:authentication-provider
      ref="customAuthenticationProvider" />
</security:authentication-manager>

I want to prevent authenticate a user via second provider if user's password was invalid in first provider. if example, if user with username 'testUser' could not authentication via in memory provider(so, user's password was not equal 'TestPwd'), customAuthenticationProvider don't authenticate user again.

Answer 1

So basically, provider manager iterate through all authentication provider and checks authentication. By default, if there is a any error of type AuthenticationException, spring checks for another provider.

But you don't want to check with another provider. To solve this issue, you need to have your own provider manger and override authenticate method.

I believe entire code in overridden method would remain same except here. Here you just need to add break statement.

How it will work?

As you mentioned, you have two provider 1) In memory 2) Custom Authentication provider. Both will have overridden public Authentication authenticate(Authentication authentication) method and this method should throw BadCredentialsException if credential does not match.

So, while iterating through providers(in your custom provider manager), your in memory provider will throw BadCredentialsException and exception would catch here. Since, you have written break, loop will exit and custom provider manager will not go for another provider to check authentication.