Spring Security how to inject my custom ProviderManager with Spring security

In my Spring Boot application, I've come out my custom MyProviderManager where I'd like to control the logic inside method authenticate

public Authentication authenticate(Authentication authentication) {
     // instead of iterating in the AuthenticationProvider list one by one
     // I'd rather choose the right AuthenticationProvider based on the currently requested URL path
     RequestDetails requestDetails = authentication.getDetails();
     if ("/ad/sso".equals(requestDetails.getPath())) {
         return adAuthenticationProvider.authenticate(authentication);
     } else if ("/saml/sso".equals(requestDetails.getPath())) {
         return samlAuthenticationProvider.authenticate(authentication);
     } else if ("/oidc/sso".equals(requestDetails.getPath())) {
         return oidcAuthenticationProvider.authenticate(authentication);
     } else  {
         return ldapAuthenticationProvider.authenticate(authentication);
     }
     return null;
 }

However, I'm now having it hard to inject my custom MyProviderManager with AuthenticationManagerBuilder so that the method performBuild() in AuthenticationManagerBuilder will return MyProviderManager instead of the default one from Spring Security

I had even tried to come out my custom MyAuthenticationManagerBuilder exends AuthenticationManagerBuilderand overridden performBuild() method, but I faced the same issue of how to inject my custom AuthenticationManagerBuilder to Spring Boot

It is really appreciate if someone could shed the light on the issues here or have better alternative ideas tackling my special requirements

Comment From: eleftherias

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.

Comment From: idavollen

@eleftherias I've tried to post an issue on stackoverflow last week, but I haven't got a useful answer yet. Therefore I tried Spring Security project git-repo directly

the registered issue at stackoverflow: https://stackoverflow.com/questions/60339007/how-to-inject-my-custom-providermanager-into-authenticationmanagerbuilder?noredirect=1#comment106805007_60339007

Comment From: idavollen

@eleftherias can my issue be treated as a suggestion for enhancement or new feature requirement?

Comment From: rwinch

@idavollen You don't need to use AuthenticationManagerBuilder because what you have is an implementation of AuthenticationManager. Instead, you should just expose your custom implementation as a Bean.

Comment From: idavollen

@rwinch thanks for your reply!

With a normal Spring Boot application, we normally "config" or register all needed AuthenticationProivders with AuthenticationManagerBuilder, via the method public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception or calling public HttpSecurity authenticationProvider() right? for instance: at line 118 ,119 from https://github.com/maurofokker/spring-security-demo/blob/master/src/main/java/com/maurofokker/demo/spring/BasicSecurityConfig.java or https://github.com/spring-projects/spring-security/blob/master/samples/javaconfig/ldap/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

If I just annotate my CustomProviderManage via @Bean how my custom ProviderManager could get a list of all configured AuthenticationProvider list with AuthenticationManagerBuilder? And what the relationship between my CustomProviderManager and the default ProviderManager from Spring Security?

Comment From: rwinch

If you don't use AuthenticationManagerBuilder Spring Security will first try an AuthenticationManager Bean, then it tries an AuthenticationProvider bean, then it tries a UserDetailsService bean.

Comment From: idavollen

Hi Rob,

I really appreciate your valuable feedback!

Do you mean that my public class SecurityConfig extends WebSecurityConfigurerAdapter class should NOT be annotated with @EnableWebSecurity that is meta-annotated with EnableGlobalAuthentication and should NOT

@Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth)

so that AuthenticationManagerBuilder will not be beaned due to that AuthenticationConfiguration is NOT imported?

Instead, I should @Bean MyCustomProviderManager @Bean MyCustomAuthenticationProvider together with a beaned UserDetailsServiceImpl @Bean LDAPAuthenticationProvider @Bean OIDCAuthenticationProvider

Will Spring Security framework automatically set those beaned AuthenticationProviders into MyCustomProviderManager or I have to manually @Bean them inside MyCustomProviderManager?