- Hands-On Spring Security 5 for Reactive Applications
- Tomcy John
- 158字
- 2021-07-23 18:59:20
Multiple AuthenticationProvider
Spring Security allows you to declare multiple AuthenticationProvider in your application. They are executed according to the order in which they are declared in the configuration.
The jetty-in-memory-basic-custom-authentication project is modified further, and we have used the newly created CustomAuthenticationProvider as an AuthenticationProvider (Order 1) and the existing inMemoryAuthentication as our second AuthenticationProvider (Order 2):
@EnableWebSecurity
@ComponentScan(basePackageClasses = CustomAuthenticationProvider.class)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomAuthenticationProvider customAuthenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/**")
.authenticated(); // Use Basic authentication
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// Custom authentication provider - Order 1
auth.authenticationProvider(customAuthenticationProvider);
// Built-in authentication provider - Order 2
auth.inMemoryAuthentication()
.withUser("admin")
.password("{noop}admin@password")
//{noop} makes sure that the password encoder doesn't do anything
.roles("ADMIN") // Role of the user
.and()
.withUser("user")
.password("{noop}user@password")
.credentialsExpired(true)
.accountExpired(true)
.accountLocked(true)
.roles("USER");
}
}
Whenever the authenticate method executes without error, the controls return and thereafter configured AuthenticationProvider's doesn't get executed.