What is the default AuthenticationManager in Spring-Security? How does it authenticate?

I have the following bean defined:

<sec:authentication-manager alias="authenticationManager">
	<sec:authentication-provider
		user-service-ref="userDetailsService" />
</sec:authentication-manager>

I guess here Spring uses some default implementation of AuthenticationManager.

In my Java code I have:

@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager; // specific for Spring Security

public boolean login(String username, String password) {
	try {
		Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
		if (authenticate.isAuthenticated()) {
			SecurityContextHolder.getContext().setAuthentication(authenticate);				
			return true;
		}
	}
	catch (AuthenticationException e) {			
	}
	return false;
}

Here AuthenticationManager.authenticate(...) is called. But I would like to know which implementation of AuthenticationManager Spring uses by default, and what its authenticate(...) does in order to authenticate (i.e., make sure that username matches password).

Could you explain this?

The AuthenticationManager is really just a container for authentication providers, giving a consistent interface to them all. In most cases, the default AuthenticationManager is more than sufficient.

When you call

.authenticate(new UsernamePasswordAuthenticationToken(username, password))`

it is passing the UsernamePasswordAuthenticationToken to the default AuthenticationProvider, which will use the userDetailsService to get the user based on username and compare that user's password with the one in the authentication token.

In general, the AuthenticationManager passes some sort of AuthenticationToken to the each of it's AuthenticationProviders and they each inspect it and, if they can use it to authenticate, they return with an indication of "Authenticated", "Unauthenticated", or "Could not authenticate" (which indicates the provider did not know how to handle the token, so it passed on processing it)

This is the mechanism that allows you to plug in other authentication schemes, like authenticating against an LDAP or Active Directory server, or OpenID, and is one of the main extension points within the Spring Security framework.

Spring Security ships only one real AuthenticationManager implementation:

org.springframework.security.authentication.ProviderManager

This uses different AuthenticationProvider for the authentication tasks

The AuthenticationManagerBeanDefinitionParser is responsible to parse <sec:authentication-manager> its java doc states:

> Registers the central ProviderManager used by the namespace > configuration, and allows the configuration of an alias, allowing > users to reference it in their beans and clearly see where the name is > coming from.

It creates the ProviderManager and adds the specified provides. If no provides is specified in the xml, then it adds an NullAuthenticationProvider. This is at least a provider that does noting than preventing configuration exceptions.

From Spring Security Docs:

> The default implementation in Spring Security is called ProviderManager and rather than handling the authentication request itself, it delegates to a list of configured AuthenticationProviders, each of which is queried in turn to see if it can perform the authentication. Each provider will either throw an exception or return a fully populated Authentication object.

Information about ProviderManager can also be found in Topical Guide - Spring Security Architecture:

> The most commonly used implementation of AuthenticationManager is > ProviderManager, which delegates to a chain of AuthenticationProvider > instances. An AuthenticationProvider is a bit like an > AuthenticationManager but it has an extra method to allow the caller > to query if it supports a given Authentication type...