What is the default AuthenticationManager in Spring-Security? How does it authenticate?
SpringSpring SecuritySpring Problem Overview
I have the following bean defined:
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="userDetailsService" />
</sec:authentication-manager>
I guess here Spring uses some default implementation of AuthenticationManager
.
In my Java code I have:
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager; // specific for Spring Security
public boolean login(String username, String password) {
try {
Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
if (authenticate.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(authenticate);
return true;
}
}
catch (AuthenticationException e) {
}
return false;
}
Here AuthenticationManager.authenticate(...)
is called. But I would like to know which implementation of AuthenticationManager
Spring uses by default, and what its authenticate(...)
does in order to authenticate (i.e., make sure that username matches password).
Could you explain this?
Spring Solutions
Solution 1 - Spring
The AuthenticationManager
is really just a container for authentication providers, giving a consistent interface to them all. In most cases, the default AuthenticationManager
is more than sufficient.
When you call
.authenticate(new UsernamePasswordAuthenticationToken(username, password))`
it is passing the UsernamePasswordAuthenticationToken
to the default AuthenticationProvider
, which will use the userDetailsService
to get the user based on username and compare that user's password with the one in the authentication token.
In general, the AuthenticationManager
passes some sort of AuthenticationToken
to the each of it's AuthenticationProviders
and they each inspect it and, if they can use it to authenticate, they return with an indication of "Authenticated", "Unauthenticated", or "Could not authenticate" (which indicates the provider did not know how to handle the token, so it passed on processing it)
This is the mechanism that allows you to plug in other authentication schemes, like authenticating against an LDAP or Active Directory server, or OpenID, and is one of the main extension points within the Spring Security framework.
Solution 2 - Spring
Spring Security ships only one real AuthenticationManager
implementation:
org.springframework.security.authentication.ProviderManager
This uses different AuthenticationProvider
for the authentication tasks
The AuthenticationManagerBeanDefinitionParser
is responsible to parse <sec:authentication-manager>
its java doc states:
> Registers the central ProviderManager used by the namespace > configuration, and allows the configuration of an alias, allowing > users to reference it in their beans and clearly see where the name is > coming from.
It creates the ProviderManager
and adds the specified provides. If no provides is specified in the xml, then it adds an NullAuthenticationProvider
. This is at least a provider that does noting than preventing configuration exceptions.
Solution 3 - Spring
From Spring Security Docs:
> The default implementation in Spring Security is called ProviderManager and rather than handling the authentication request itself, it delegates to a list of configured AuthenticationProviders, each of which is queried in turn to see if it can perform the authentication. Each provider will either throw an exception or return a fully populated Authentication object.
Information about ProviderManager can also be found in Topical Guide - Spring Security Architecture:
> The most commonly used implementation of AuthenticationManager is > ProviderManager, which delegates to a chain of AuthenticationProvider > instances. An AuthenticationProvider is a bit like an > AuthenticationManager but it has an extra method to allow the caller > to query if it supports a given Authentication type...