Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

spring-security java config: How to configure Multiple AuthenticationManager instances

I use:

  • spring boot: 1.1.7
  • spring-security: 4.0.0.M2
  • spring-fmk: 4.1.1.RELEASE

Everything is configured with Java Config (including spring-security)

I'm working on a web server project where Authentication: Basic base64Gibberish header are used to authenticate users.

The problem is that depending on the URI the AuthenticationManager is different (because I need 2 different UserDetailsService.

  • /URI1/** => authManager1
  • /URI2/** => authManager2

I've tried multiple extensions of WebSecurityConfigurerAdapter with

@Override
@Bean( name = "authManager1" )
public AuthenticationManager authenticationManagerBean() throws Exception
@Override
@Bean( name = "authManager2" )
public AuthenticationManager authenticationManagerBean() throws Exception

to no avail

I always get:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' 
defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Instantiation of bean failed; 
nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: 
Factory method [public javax.servlet.Filter org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain() throws java.lang.Exception] 
threw exception; nested exception is java.lang.IllegalArgumentException: 
Expecting to only find a single bean for type interface org.springframework.security.authentication.AuthenticationManager, 
but found [authManager1, authManager2]

Since I have multiple security filter chains how can I "tell" spring-security to inject different AuthenticationManager in different security filter chains ?

Thanks in advance P.

like image 272
paskos Avatar asked Oct 10 '14 18:10

paskos


People also ask

What is difference between AuthenticationManager and Authenticationprovider?

The Authentication Manager is only a interface and actual implementation of the authenticate method is provided by the ProviderManager. The ProviderManager has a list of AuthenticationProviders. From it's authenticate method it calls the authenticate method of the appropriate AuthenticateProvider.

What does Formlogin () do in Spring Security?

Form-based login is one form of Username/password authentication that Spring Security provides support for. This is provided through an Html form. Whenever a user requests a protected resource, Spring Security checks for the authentication of the request.

What is AuthenticationManager in Spring Security?

An AuthenticationManager can do one of 3 things in its authenticate() method: Return an Authentication (normally with authenticated=true ) if it can verify that the input represents a valid principal. Throw an AuthenticationException if it believes that the input represents an invalid principal.


1 Answers

You can have multiple http configuration elements, each with its own AuthenticationManager. It could look like that :

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    private AuthenticationManager authenticationManager1() {
        // defines first AuthenticationManager
        return authenticationManager;
    }

    @Bean
    private AuthenticationManager authenticationManager2() {
        // defines second AuthenticationManager
        return authenticationManager;
    }

    @Configuration
    @Order(1)
    public static class Uri1ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        @Qualifier(authenticationManager1)
        private authManager1;

        @Override
        protected AuthenticationManager authenticationManager() {
            return authManager1;
        }

        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/URI1/**")
                ...
        }
    }

    @Configuration
    @Order(2)
    public static class Uri2ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        @Qualifier(authenticationManager2)
        private authManager2;

        @Override
        protected AuthenticationManager authenticationManager() {
            return authManager2;
        }

        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/URI2/**")
                ...
        }
    }
}
like image 197
Serge Ballesta Avatar answered Sep 19 '22 12:09

Serge Ballesta