Clever Geek Handbook

Supplier order using AuthenticationManagerBuilder

I am using Spring Security 4.0.1 and want to use multiple authentication providers for authentication using Java based configuration. How do I specify the order of the supplier?

I was hoping to use AuthenticationManagerBuilder as it exposes WebSecurityConfigurerAdapter.configureGlobal()

, but I don't see any way to specify the order. Do I need to create the ProviderManager manually?

Update: This explains the issue based on Arun's answer. Specific suppliers, which I want to use - this ActiveDirectoryLdapAuthenticationProvider

, and DaoAuthenticationProvider

for the user UserService

.

Ultimately, I would like to authenticate first DaoAuthenticationProvider

and ActiveDirectoryLdapAuthenticationProvider

.

The AD provider includes a call AuthenticationManagerBuilder.authenticationProvider()

, but the DAO provider includes a call AuthenticationManagerBuilder.userService()

that creates DaoAuthenticationProvider

around the custom service behind the scenes. Looking at the source code, it doesn't place the provider directly in the provider list (it creates a configurator), so Arun's answer doesn't work for me.

I tried to create DaoAuthenticationProvider

manually and pass it to authenticationProvider()

. This did not affect the order.

+3


source to share


2 answers


There is no explicit ordering. The calling order will be the order you provided AuthenticationProvider

AuthenticationManagerBuilder.authenticationProvider()

. Refer to xml config here . The same should apply for java config.

For example,

auth.authenticationProvider(getAuthenticationProvider2());
auth.authenticationProvider(getAuthenticationProvider1());

will result in the next call order AuthenticationProvider2,AuthenticationProvider1



and

 auth.authenticationProvider(getAuthenticationProvider1());
 auth.authenticationProvider(getAuthenticationProvider2());

will result in the next call order AuthenticationProvider1,AuthenticationProvider2

+1


source


I tried objectPostProcessor inside configure method and it worked. Not sure if this is what you want:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth.jdbcAuthentication().dataSource(dataSource)
           .passwordEncoder(new BCryptPasswordEncoder());
      auth.authenticationProvider(new CustomAuthenticationProvider(this.dataSource));

      auth.objectPostProcessor(new ObjectPostProcessor<Object>() {
        @Override
        public <O> O postProcess(O object) {
            ProviderManager providerManager = (ProviderManager) object;
            Collections.swap(providerManager.getProviders(), 0, 1);
            return object;
        }
    });
}

This is a configuration method that propagates to your inherited WebSecurityConfigurerAdapter class.



The reason for the object post processor is that we need to wait for the AuthenticationManagerBuilder to actually assemble the object before we can access and reorder the provider list.

Hope this helps .. let me know if you have any questions.

0


source






More articles:


All Articles