I added a custom AuthenticationProvider not only use username, but also through the mobile phone number, email for validation. But I found the ProviderManager would loop all the providers,like below:

Spring Security When I custom AuthenticationProvider, can I remove the Default Provider-DaoAuthenticationProvider?

I only need my custom one, but I found no way to remove the default one.

Comment From: rwinch

What default one are you referring to? If you don't want a default one, then don't configure one. You can also create an instance of AuthenticationProvider as a Bean and only add your AuthenticationProvider to it.

Comment From: SeanWan1989

@rwinch ok, I found is my spring-security version problem.when I use spring-boot-starter-security:1.3.5.RELEASE(spring-security-*:4.0.4.RELEASE):

  • [Spring Security When I custom AuthenticationProvider, can I remove the Default Provider-DaoAuthenticationProvider? ]

  • [Spring Security When I custom AuthenticationProvider, can I remove the Default Provider-DaoAuthenticationProvider? ]

when I use spring-boot-starter-security:1.4.2.RELEASE(spring-security-*:4.1.3.RELEASE):

  • [Spring Security When I custom AuthenticationProvider, can I remove the Default Provider-DaoAuthenticationProvider?]

  • [Spring Security When I custom AuthenticationProvider, can I remove the Default Provider-DaoAuthenticationProvider?]

so when I use the old version, I can't override the configure method add provider, I modify the AuthenticationManagerBuilder bean, and add my custom in the list, but there are two providers, the DaoAuthenticationProvider is the default one(Have no effect on me).Fortunately, when I changed to the new version, it comes well, like the last picture.

Comment From: rwinch

Glad you got it fixed with an updated version. I'm closing this ticket since this is now working

Comment From: vl185050

I am facing similar kind of issue , trying to implement basic authentication with username and password . used in-memory authentication provider by reading username and password from application properties.However authentication failing since DAOAuthencationProvider is
attached to ProviderManager , where there is no implementation through database users . using Spring-Boot 1.5.9 version . Can you tell me what is the latest version used to resolve this issue.

Comment From: SayakMukhopadhyay

Check the last comment by the OP in this thread https://stackoverflow.com/questions/30835674/spring-security-boot-replace-default-daoauthenticationprovider

...I do not need to call auth.userDetailsService(userDetailsService); in SecurityConfiguration.configure(), which will prevent creation of internal DaoAuthenticationProvider! My UserIpAuthenticationProvider can get instance of UserDetailsService via injection

I was facing a similar issue and this fixed it.

Comment From: fahmad-tsa

There are several factors which should be taken care of: 1. In WebSecurityConfig do not define the AuthenticationManager Bean.

@Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }

  1. Define authenticationProvider in HttpSecurity configure.

@Override protected void configure(HttpSecurity http) throws Exception { http.authenticationProvider(customAuthenticationProvider) ... 3. Do not set auth.userDetailsService() in AuthenticationManagerBuilder configure, it registers the DaoAuthenticationProvider by default.

@Autowired @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { //auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); auth.authenticationProvider(customAuthenticationProvider); }

Comment From: xqdd

if it is not work with above method, try to add this config (kotlin version)

@SpringBootApplication(exclude = [UserDetailsServiceAutoConfiguration::class])

Comment From: shadowfax-h

There are several factors which should be taken care of:

  1. In WebSecurityConfig do not define the AuthenticationManager Bean.

@Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }

  1. Define authenticationProvider in HttpSecurity configure.

@Override protected void configure(HttpSecurity http) throws Exception { http.authenticationProvider(customAuthenticationProvider) ... 3. Do not set auth.userDetailsService() in AuthenticationManagerBuilder configure, it registers the DaoAuthenticationProvider by default.

@Autowired @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { //auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); auth.authenticationProvider(customAuthenticationProvider); }

if not define AuthenticationManager Bean how to use authenticationmanager.authenticate() in myservice. Is there an alternative?

Comment From: jlarroque

There are several factors which should be taken care of:

  1. In WebSecurityConfig do not define the AuthenticationManager Bean.

@Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }

If I don't do that, I get the following error: Parameter 0 of method setAuthenticationManager in OAuth2Config required a bean of type 'org.springframework.security.authentication.AuthenticationManager' that could not be found.

Is there an alternative?

Comment From: jzheaux

@jlarroque, thanks for reaching out. It looks like there's a bit more going on with your situation, given that you are using the OAuth 2.0 support. I'd recommend asking your question Stack Overflow, which the team monitors regularly. Please feel free also to update your comment with the link to your Stack Overflow question to make it easier to find.