Spring Security documentation: when should org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#authenticationManagerBean be overriden?

Hi. I have a scenario where the Authentication manager comprises multiple providers. One of those is spring's DaoAuthenticationProvider (+a UserDetailsService).

I've added the following to the security @Configuration:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.eraseCredentials(false)
            .authenticationProvider(providerA);
    auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
    auth.authenticationProvider(providerB);
}

Thinking that's all there was to it. I suspect though this isn't the case. I could only get auth to work after adding:

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

(without declaring the bean, getting: IllegalArgumentException: An AuthenticationManager is required) I am unclear on why the above is required. Is there documentation to guide programmers on this? If so, I could not find it.

Appreciate some guidance, and, if deemed appropriate, some elaboration in the docs.

Cheers!

Comment From: fhanik

@rosemead Thank you for the report. This works as expected and documented

https://github.com/spring-projects/spring-security/blob/5f17032ffdd7969e7422880066938709e9023da1/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java#L235-L253

Comment From: rosemead

Thanks @fhanik.

Will try to clarify: while true that the javadoc briefly states the purpose of the method, it is unclear to me why would we want to expose the AuthenticationManager as a bean. I.E. what is the technique/strategy employed here? why does the app need to handle this? can't spring-security do it? indeed there are other beans in a spring app that function properly without having to be explicitly exposed in this manner.

With boilerplate code, It is common to find quite a lot of attention to it in the docs (e.g. here ). That's the sort of recipe-styled guidance I was expecting to find. When I say I could not find documentation, I am referring to the above docs, and to the samples, none of which present a usage that incorporates authenticationManagerBean().

Comment From: fhanik

@rosemead There are components that will look for an authentication manager bean and use it. Specifically XML configurations rely on this behavior quite frequently. Spring Security, in the JavaConfig, ensures to not expose another bean of the same type to avoid conflicts. But it gives you the opportunity to do so since you are in control of your configuration.