I am reading the spring-security source code,I am puzzled by this design , why the ProviderManager own / manage a AuthenticationManager parent ?

Comment From: eleftherias

Thanks for reaching out. This is now covered in the Spring Security reference documentation:

ProviderManager also allows configuring an optional parent AuthenticationManager which is consulted in the event that no AuthenticationProvider can perform authentication.

In fact, multiple ProviderManager instances might share the same parent AuthenticationManager. This is somewhat common in scenarios where there are multiple SecurityFilterChain instances that have some authentication in common (the shared parent AuthenticationManager), but also different authentication mechanisms (the different ProviderManager instances).