Spring Security - Multiple authentication providers

An AuthenticationManager is responsible for passing requests through a chain of AuthenticationProviders. It is very much similar to the filter chain in a typical web application.

These authentication providers are tried in the order shown (which is implied by the use of a List instead of a Set), with each provider able to attempt authentication, or skip authentication by simply returning null. If all implementations return null, the ProviderManager will throw a suitable exception.

Below is the spring bean configuration which can be used for setting up multiple authentication providers in your Spring application using Spring Security.

spring-security.xml

Sample 1:-

<security:authentication-manager alias="authenticationManager">

    <security:authentication-provider ref="ntlmUthenticationProvider">

        <security:password-encoder hash="md5" />

    </security:authentication-provider>

    <security:authentication-provider user-service-ref="myUserService">

        <security:password-encoder hash="plaintext" />

    </security:authentication-provider>

    <security:authentication-provider ref="myAuthenticationProvider">

    </security:authentication-provider>

</security:authentication-manager>

<security:authentication-manager alias="authenticationManager">

<security:authentication-provider ref="ntlmUthenticationProvider">

<security:password-encoder hash="md5" />

</security:authentication-provider>

<security:authentication-provider user-service-ref="myUserService">

<security:password-encoder hash="plaintext" />

</security:authentication-provider>

<security:authentication-provider ref="myAuthenticationProvider">

</security:authentication-provider>

</security:authentication-manager>

Sample 2:-

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">

    <property name="providers">

        <list>

            <ref local="ntlmAuthenticationProvider"/>

            <ref local="anonymousAuthenticationProvider"/>

            <ref local="myAuthenticationProvider"/>

        </list>

    </property>

</bean>

<list>

</list>

</property>

</bean>

In the above sample configuration, both the declared authentication providers will be registered with authentication manager.

Page Visitors: 5430

Bio
Latest Posts

Tomcy John

Blogger & Author at javacodebook

He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.

Latest posts by Tomcy John (see all)

A Guide to Continuous Improvement for Architects - February 2, 2023
Cloud-first Architecture Strategy - January 26, 2023
Architecture Strategy and how to create One - January 24, 2023

2 thoughts on “Spring Security – Multiple authentication providers”

venkat says:

October 29, 2013 at 8:24 pm

Hi,
I am working to retrieve the password. the user is authenticated against org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider. Since I cant retrieve a password from this provider, I wrote a custom provider that implements AuthenticationProvider and referred it in the auth manager config. I get the password from the method – public Authentication authenticate(Authentication authentication) throws AuthenticationException , but I was not able to store it for later use, please advice. Thank you.

ArunM says:

May 28, 2015 at 7:31 am

Thanks. Nice one !!!

Java CodeBook

Java all the way!