spring authentication provider VS authentication processing filter

Question

both spring authentication provider and authentication processing filter also need to register with authenticationManager?

authentication provider i can use custom-authentication-provider tag

but what is different spring authentication provider and authentication processing filter ?

Answer 1

The authentication manager uses all authentication providers to authenticate authenticationtokens it has to authenticate.

The authentication processing filter just adds a token (username password). Other filters add tokens too. For example the AnonymousProcessingFilter.

The idea is to seperate token generation from token authentication. That way you could implement stuff like authentication against multiple sources easily.

The regular case is one provider per token generator.

Answer 2

According to Spring Security Architecture the process is:

1. Filters are used to intercept the http request and do some checks
2. Some filters are doing the check for authorization information in the request headers, body, cookies, etc. You can call them Authentication Processing Filter
3. The actual job for authentication is done by another partie called Authentication Provider, because a filter will call a provider if the implementation needs it.
4. It can happen that between the filter and provider can stay a Provider Manager, that can call all providers one by one and see if some of them can handle it, if so: then do so.

See an example here: a filter is calling a provider manager to find a provider who supports this authentication and if so the do authenticate

1. RememberMeAuthenticationFilter
2. ProviderManager

Here you can find a nice example on how to implement a custom filter: Custom filter @Baeldung

Please consider that filters are calling Provider Managers or Providers only if they are coded like that. There's no rule to enforce that.