Spring Security Add a method named authenticationProviders() in HttpSecurityBuilder

Could you consider adding a method authenticationProviders() in interface HttpSecurityBuilder ?

It could take varargs or List as parameter.

Expected Behavior

It would make it more obvious that HttpSecurity can accept multiple Authentication Providers.

Current Behavior

httpSecurity.authenticationProvider() must be called multiple times. The order is of course important.

Currently, ProviderManager already supports this behaviour, with constructors like :

• public ProviderManager(AuthenticationProvider... providers)
• public ProviderManager(List<AuthenticationProvider> providers)

---

Related with https://github.com/spring-projects/spring-security/issues/11428 ?

Comment From: jzheaux

Hi, @ghusta. I see your point about how taking a varargs would make the ordering clearer. I suppose the concern would be now it might seem like authenticationProvider and authenticationProviders would conflict. It wouldn't get rid of the ordering issue since I suppose you could reasonably call authenticationProviders and authenticationProvider in the same stack unless authenticationProvider is also deprecated.

Just curious, have you considered using .authenticationManager instead? As you pointed out, ProviderManager already communicates the possibility of multiple providers. Using this method also aligns with #11428 since that ticket indicates that .authenticationProvider may eventually go away.

Comment From: ghusta

I don't really think that authenticationProvider and authenticationProviders would conflict.

As authentication providers are stored in a List in AuthenticationManagerBuilder, I imagine it would not be different to using List.add() and List.addAll(), in whatever order.

I'm just wondering if it's worth working on it, depending of the plans to deprecate AuthenticationProvider.

And yes, maybe it's more logical or natural to configure HttpSecurity following this pattern :

httpSecurity > authenticationManager( new ProviderManager( List of AuthenticationProvider ) )

Comment From: jzheaux

@ghusta, good points. I think let's hold off, given that folks can already use authenticationManager.