How to correctly configure more authentication provider in spring-boot application

Question

I have application with this security setting:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthService authService;

    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customAuthenticationProvider());
        auth.authenticationProvider(daoAuthenticationProvider());
    }

    @Bean
    public CustomAuthenticationProvider customAuthenticationProvider() {
        return new CustomAuthenticationProvider();
    }

    @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setUserDetailsService(authService);
        provider.setPasswordEncoder(new BCryptPasswordEncoder());
        return provider;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatcher(new BasicRequestMatcher()).antMatcher("/**").authorizeRequests().anyRequest()
                .fullyAuthenticated().and().httpBasic().and().csrf().disable();
        http.addFilterBefore(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }

    @Autowired
    private AuthenticationManager authenticationManager;

    private Logger log = LoggerFactory.getLogger(ApplicationSecurity.class);

    public CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
        List<AuthenticationProvider> a = ((ProviderManager) authenticationManager).getProviders();
        log.debug("providers: " + a);
        return new CustomAuthenticationFilter(authenticationManager);
    }

}

problem is that my daoAutentication is performed twice which I want to fixed. In log I can see:

2017-01-03 10:29:18.106 DEBUG 2154 --- [[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] .r.o.MyApplication$ApplicationSecurity : providers: [org.springframework.security.authentication.dao.DaoAuthenticationProvider@4c46fcec, cz.isvs.reg.rob.ocis.auth.CustomAuthenticationProvider@24448744, org.springframework.security.authentication.dao.DaoAuthenticationProvider@60516c4c]

I have no idea why there are 2 DaoAuthenticationProvider. When i edit my configuration like this:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(kaasAuthenticationProvider());
    // auth.authenticationProvider(daoAuthenticationProvider());
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

then it works OK. There is just one DaoAuthenticationProvider. Problem is that I dont know why this works now so I do not want to use it until I will understand how this security works

UPDATE:

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    private Logger log = LoggerFactory.getLogger(CustomAuthenticationProvider.class);

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        log.debug("Authentication: {}.", authentication);
        ...
        return new CustomAuthenticationToken(securityToken, authorities,
                new CustomUser(login, "", true, true, true, true, authorities));
    }
}

why you need this provider ? It is a complicate and I can not paste code. I updated here just skeleton — hudi, Jan 03 '17 at 12:03

score 0 · Accepted Answer · edited May 23 '17 at 12:33

OK I found the problem. This thread helps me a lot

I am autowiring authenticationManager:

@Autowired
private AuthenticationManager authenticationManager;

without delegate in thread above:

   @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
   @Override
   public AuthenticationManager authenticationManagerBean() throws Exception {
       return super.authenticationManagerBean();
   }

This cause that:

class InitializeUserDetailsManagerConfigurer
        extends GlobalAuthenticationConfigurerAdapter {
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        if (auth.isConfigured()) {
            return;
        }
        ...
}

is performed before

@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(customAuthenticationProvider());
    auth.authenticationProvider(daoAuthenticationProvider());
}

what is the reason why there is one additional DaoAuthenticationProvider

How to correctly configure more authentication provider in spring-boot application

1 Answers1