Spring Security Spring Boot - No AuthenticationProvider found for authentication.UsernamePasswordAuthenticationToken

version of spring boot : 3.1.2 Spring security : 6.1.2

Currently i implement a simple spring boot based application which involve spring security, as shown below. However, upon when i try login using the form, i got "No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken". Do note that this error will only disappear, when i manually create a bean for the AuthenticationProvider

Question: Why do i get such error. Is it a bug?
I thought by default, DaoAuthenticationProvider will be instantiated by Spring Boot and it will auto pick up whatever custom UserDetailsService bean and PasswordEncoder bean we configured.

*I will appreciate if anyone can guide me which java source code in the spring security library to look for , to understand when the security library will use the default DaoAuthenticationProvider ,and when it expects the developer to define an authenticationprovider bean manually

@Configuration
public class DemoSecurityConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        var encoders = new HashMap<String, PasswordEncoder>(
                Map.of("bcrypt",new BCryptPasswordEncoder(),
                        "noop", NoOpPasswordEncoder.getInstance())
        );

        var e = new DelegatingPasswordEncoder("noop", encoders);
        return e;
    }

    @Bean
    public UserDetailsService userDetailsManager() {

        UserDetails susan = User.builder()
                .username("susan")
                .password("{noop}test123")
                .roles("EMPLOYEE", "MANAGER", "ADMIN")
                .build();

        return new InMemoryUserDetailsManager(susan);
    }



    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.authorizeHttpRequests(configurer ->
                   configurer.requestMatchers("/css/**").permitAll()
                .anyRequest().authenticated()

        );

http.formLogin(Customizer.withDefaults());

        http.csrf(csrf -> csrf.disable());

        return http.build();
    }


}

`

Comment From: CyberRookie

Well since you are assigning ROLES to you user, You need to add another request matcher something like this: .requestMatchers(HttpMethod.GET, "/api/employees/**").hasAnyRole("EMPLOYEE","MANAGER")

Depending on your application. Search stackoverflow using the tag Spring Security., this question is more suited for that.

---

From: Hanster @.> Sent: Wednesday, August 16, 2023 5:42 AM To: spring-projects/spring-security @.> Cc: Subscribed @.***> Subject: [spring-projects/spring-security] Spring Boot - No AuthenticationProvider found for authentication.UsernamePasswordAuthenticationToken (Issue #13652)

version of spring boot : 3.1.2 Spring security : 6.1.2

Currently i implement a simple spring boot based application which involve spring security, as shown below. However, upon when i try login using the form, i got "No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken". Do note that this error will only disappear, when i manually create a bean for the AuthenticationProvider

Question: Why do i get such error. Is it a bug? I thought by default, DaoAuthenticationProvider will be instantiated by Spring Boot automatically and it will auto pick up whatever custom UserDetailsService bean and PasswordEncoder bean we configured.

*I will appreciate if anyone can guide me which java source code in the spring security library to look for , to understand when the security library will use the default DaoAuthenticationProvider ,and when it expects the developer to define an authenticationprovider bean manually

@Configuration public class DemoSecurityConfig {

@Bean
public PasswordEncoder passwordEncoder() {
    var encoders = new HashMap<String, PasswordEncoder>(
            Map.of("bcrypt",new BCryptPasswordEncoder(),
                    "noop", NoOpPasswordEncoder.getInstance())
    );

    var e = new DelegatingPasswordEncoder("noop", encoders);
    return e;
}

@Bean
public UserDetailsService userDetailsManager() {

    UserDetails susan = User.builder()
            .username("susan")
            .password("{noop}test123")
            .roles("EMPLOYEE", "MANAGER", "ADMIN")
            .build();

    return new InMemoryUserDetailsManager(susan);
}



@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    http.authorizeHttpRequests(configurer ->
               configurer.requestMatchers("/css/**").permitAll()
            .anyRequest().authenticated()

    );

http.formLogin(Customizer.withDefaults());

    http.csrf(csrf -> csrf.disable());

    return http.build();
}

}

[image]https://user-images.githubusercontent.com/4410920/259963625-c084c537-d5e4-4d29-aa6a-9325db1fb573.png

`

— Reply to this email directly, view it on GitHubhttps://github.com/spring-projects/spring-security/issues/13652, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APLVTXN55BMEGJJK3ILQRELXVSIXHANCNFSM6AAAAAA3SIFLFE. You are receiving this because you are subscribed to this thread.Message ID: @.***>

Comment From: hannah23280

@CyberRookie Thanks for the response.

Isn't nyRequest().authenticated() sufficient? I thought this already implicitly apply to all roles. Nevertheless, the focus of this question has nothing to do with assigning roles, it is more of why the login form prompt "No authentication Provider". This error msg obviously has nothing to do with roles, but it's more of unable to find AuthenticationProvider.

In other word, if can't even pass the Authentication stage, there is no need to mention authorisation (which involves role)..

Comment From: hannah23280

I found the root cause.

If you create your own UserDetailsService bean, there is no need to manually define a bean for AuthenticationProvider, cos by default a DaoAuthenticationProvider bean will be automatically created for us, which will automatically pick up your defined UserDetailsService bean.

But if you define 2 or more UserDetailsService beans, then u need to define your own Authenticationprovider. I made a mistake, as i don't realize I have another class that implements UserDetailsService interface and annotated with @service , which create a second UserDetailsService bean.

Comment From: JabezBrew

Hi @hannah23280 I have a similar error No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken.

Timeline of events:

I'm building a public api where developers can register their applications and receive an api key. Initially, I just had the basic auth mechanism for authenticating a user for some endpoints (example: /api/applications/register) and everything worked well.

But when I implemented the api key authentication (a custom authentication mechanism), the /api/applications/register and other endpoints that were working well started throwing 401 on every request even though the user is authenticated. Enabling spring security trace logging, revealed that a ProviderNotFoundException was being thrown.

Can you help out please?

Comment From: VitaliTch

I found the root cause.

If you create your own UserDetailsService bean, there is no need to manually define a bean for AuthenticationProvider, cos by default a DaoAuthenticationProvider bean will be automatically created for us, which will automatically pick up your defined UserDetailsService bean.

But if you define 2 or more UserDetailsService beans, then u need to define your own Authenticationprovider. I made a mistake, as i don't realize I have another class that implements UserDetailsService interface and annotated with @service , which create a second UserDetailsService bean.

That is correct, great find. When there are more than a single Spring Bean that implements UserDetailsService interface, this exception is thrown from the ProviderManager.authenticate(Authentication authentication) method:

2024-01-03 20:32:11,540 DEBUG [http-nio-8080-exec-2] BasicAuthenticationFilter RemoteAddr= RequestID= UserID= : Failed to process authentication request
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:234)

Comment From: hannah23280

Hi @hannah23280 I have a similar error No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken.

Timeline of events:

I'm building a public api where developers can register their applications and receive an api key. Initially, I just had the basic auth mechanism for authenticating a user for some endpoints (example: /api/applications/register) and everything worked well.

But when I implemented the api key authentication (a custom authentication mechanism), the /api/applications/register and other endpoints that were working well started throwing 401 on every request even though the user is authenticated. Enabling spring security trace logging, revealed that a ProviderNotFoundException was being thrown.

Can you help out please?

Hi， sorry for the late reply. I am not an expert in this area. Perhaps, u can put this question in the overstackflow. U might get a better answer

Comment From: AshikJenly

Try providing Authentication provider. @Bean public DaoAuthenticationProvider authenticationProvider(CustomUserDetailService myUserService) { DaoAuthenticationProvider auth = new DaoAuthenticationProvider(); auth.setUserDetailsService(myUserService); auth.setPasswordEncoder(passwordEncoder()); return auth; } // Customize according to your other beans

Comment From: deepesh26

thanks much. it works.