Describe the bug When I use spring @ Autowired to obtain authenticationmanagerbuilder, it is inconsistent with the authenticationmanagerbuilder instance in httpsecurity
To Reproduce
CustomAuthenticationProviderConfigurer <B extends HttpSecurityBuilder<B>>
extends AbstractHttpConfigurer<CustomAuthenticationProviderConfigurer<B>, B> {
@Override
public void init(B builder) throws Exception {
AuthenticationManagerBuilder authenticationManagerBuilder = builder.getSharedObject(AuthenticationManagerBuilder.class);
// this.
}
}
@Autowired(required = false)
private AuthenticationManagerBuilder authenticationManager;
Expected behavior The authenticationmanagerbuilder instance in customauthenticationproviderconfigurer should be consistent with the authenticationmanagerbuilder instance obtained by @ Autowired
Sample
Comment From: NotFound403
as i know its not a bug , autowired one as the parentAuthenticationManager if u dont specify one via HttpSecurity#authenticationManager(AuthenticationManager). watch the following in ProviderManager plz:
if (result == null && this.parent != null) {
// Allow the parent to try.
try {
parentResult = this.parent.authenticate(authentication);
result = parentResult;
}
catch (ProviderNotFoundException ex) {
// ignore as we will throw below if no other exception occurred prior to
// calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already
// handled the request
}
catch (AuthenticationException ex) {
parentException = ex;
lastException = ex;
}
}
Comment From: sjohnr
Hi @ACCia, thanks for reaching out and welcome to the project!
I believe @NotFound403 is correct in describing that the AuthenticationManagerBuilder you are getting in your custom configurer is for the "parent" and is used to build a parent AuthenticationManager which is typically used to provide a fallback of anonymous authentication (e.g. permitAll() access for example).
The authenticationmanagerbuilder instance in customauthenticationproviderconfigurer should be consistent with the authenticationmanagerbuilder instance obtained by @ Autowired
I don't believe this is the case. Perhaps you're looking for http.getSharedObject(AuthenticationManager.class) which does return the instance currently being configured, allowing you to for example inject it into a custom filter. If this is not your use case, could you please describe what you're trying to do with the AuthenticationManagerBuilder in a custom configurer? Perhaps there's another way to accomplish the same thing.
Comment From: ACCia
@sjohnr
When I use HTTP getSharedObject(AuthenticationManagerBuilder.class). When authenticationprovider.
@Autowired(required = false)
AuthenticationManagerBuilder managerBuilder;
AuthenticationManager manager = managerBuilder.getOrBuild();
There is no authenticationprovider I added in AuthenticationManagerBuilder. How can I get the default authentication manager.
Comment From: sjohnr
Thanks @ACCia, that makes sense and is a question that has come up a few times. While it is not as convenient to obtain an AuthenticationManager without WebSecurityConfigurerAdapter, the old way of obtaining one had a few known issues.
You can read more about this in the blog post announcing the deprecation of WebSecurityConfigurerAdapter (see this section on a global AuthenticationManager you can inject with @Autowired and this section on using an custom DSL with AbstractHttpConfigurer).
TLDR; The simplest way is http.getSharedObject(AuthenticationManager.class) in a custom DSL.
I'm going to close this as answered, but please let me know if you are still stuck and we can work through it together. It may make sense to open a question on stack overflow.