Spring Security WebSecurityConfigurerAdapter: AuthenticationManagerBuilder - override configure method or autowire globalUserDetails?

Question

Dear community: I'm writing this to ask how I have to configure AuthenticationManagerBuilder.

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  @Autowired
  private UserDetailsService secUserDetailsService;

  @Autowired
  private PasswordEncoder secPasswordEncoder;

  . . .

  @Bean
  @Override
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth.authenticationProvider(authenticationProvider());
  }

  @Autowired
  public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(secUserDetailsService).passwordEncoder(secPasswordEncoder);
  }

  @Bean
  public DaoAuthenticationProvider authenticationProvider() {
    DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
    authenticationProvider.setUserDetailsService(secUserDetailsService);
    authenticationProvider.setPasswordEncoder(secPasswordEncoder);
    return authenticationProvider;
  }
}

Which implementation should I have to follow between

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth.authenticationProvider(authenticationProvider());
  }

and

  @Autowired
  public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(secUserDetailsService).passwordEncoder(secPasswordEncoder);
  }

Plus, I found that if I comment whole '@Override protected void configure(AuthenticationManagerBuilder auth) method, my application works well but when I commented @Autowired public void globalUserDetails(AuthenticationManagerBuilder auth), following error occurred :

o.s.s.o.p.endpoint.TokenEndpoint.handleException:169 - Handling error: IllegalStateException, UserDetailsService is required.
java.lang.IllegalStateException: UserDetailsService is required.
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$UserDetailsServiceDelegator.loadUserByUsername(WebSecurityConfigurerAdapter.java:464)
    at org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper.loadUserDetails(UserDetailsByNameServiceWrapper.java:68)
    at org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider.authenticate(PreAuthenticatedAuthenticationProvider.java:103)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
...

Which method should I have to use? Additionally,(this is my biggest matter of concern) is there any performance issues if I use both?

Answer 1

according to this guide

the difference between using

@Override configure(AuthenticationManagerBuilder auth)

and

an @Autowired AuthenticationManagerBuilder into a method

is that the first one is creating a local AuthenticationManager which delegates to the default spring-security parent AuthenticationManager if it is not able to handle the authentication request, whereas the latter one (using @Autowired) configures a new global AuthenticationManager instance.

So using the globalUserDetails is perfectly ok, but there is no need to use both as you would create a local one which is delegating to the same as the parent, which is useless.