Spring Security Multiple "default" authentication-managers

Summary

If I have multiple authentication managers defined in the XML, one with id, one without, in 4.0 the one without any id became the "default". In 4.1, the one with id becomes the default, since an alias with the default name is added automatically.

Actual Behavior

An XML configuration like this:

  <security:authentication-manager id="preAuthenticationManager">
    <security:authentication-provider ref="preAuthenticatedAuthenticationProvider" />
  </security:authentication-manager>

  <security:authentication-manager>
    <security:authentication-provider ref="someAuthenticationProvider" />
    <security:authentication-provider ref="anotherAuthenticationProvider" />
  </security:authentication-manager>

In spring-security 4.0, the latter authentication manager became the default, in 4.1 the first is now the default.

Expected Behavior

I expected consistent behaviour between spring-security 4.0 and 4.1 - I consider the new behaviour at least surprising.

Version

The exact versions testes are spring-security 4.0.1 and 4.1.3.

Analysis

I could trace down this problem to the fix for #3296: https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java#L143 adds an alias for each authentication manager bean which hasn't the default name. Since aliases always shadow beans with the same name, every authentication manager with an ID now has "higher priority" then authentication managers without ID.

Comment From: panchenko

That's also pointed out in the comment on that commit https://github.com/spring-projects/spring-security/commit/533a5f0905ca7c39406bb9baaa046176718d0d50

Comment From: eleftherias

Thank you for brining this up. In recent releases we have added a section to our release notes that documents any changes that break passivity.

On rare occasions, like this one, we will need to make a non-passive change. We hope that brining attention to these types of changes in our release documentations will help users become aware of them when they are upgrading versions.