Difference in AuthenticationManager and AuthenticationProvider Authenticate method in Spring Security

Question

Is there any difference in

Authentication auth= authenticationManager.authenticate(authentication);

and

 Authentication auth= authenticationProvider.authenticate(authentication);

Answer 1

AuthenticationManager holds list of AuthenticationProvider instances.

When you execute authenticationManager.authenticate()

What this actually does is iterate over all instances of AuthenticationProvider and tries to authenticate user with each one.

Default spring implementation of AuthenticationManager is org.springframework.security.authentication.ProviderManager

The actual authentication is performed inside AuthenticationProvider. Each AuthenticationProvider contains instance of UserDetailsService which is responsible for fetching user information (including hashed password) out of database for example, or LDAP. Once instance of UserDetails is successfully retrieved from database AuthenticationProvider will then use instance of PasswordEncoder to check whether password user provided matches hashed password you retrieved from database.

more info here http://docs.spring.io/spring-security/site/docs/2.0.8.RELEASE/apidocs/org/springframework/security/providers/ProviderManager.html

and here https://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/authentication/dao/DaoAuthenticationProvider.html