What's the point in @Override configure(AuthenticationManagerBuilder auth) { .... } #4324
Description
I believe I have found success with devising multiple security chains in Spring Security using
@Order(Ordered.LOWEST_PRECEDENCE+10)
@Configuration
@EnableWebSecurity
public class FirstSecurityConfig extends WebSecurityConfigurerAdapter {
Nevertheless, on my earlier attempts I was configuring the authentication provider as below, but failing with exceptions where there was apparently no AuthenticationProvider matching my Token type.
I was calling
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(myfirstauthprovider);
}
It seems that in each of the separate WebSecurityConfigurerAdapter configuration instances it is a different AuthenticationManagerBuilder instance that is passed in.
Debugging showed very strange results that I couldn't pinpoint, needless to say there was only one provider available in the authentication manager and not the one of interest to the Authentication object being processed.
Having stumbled around a bit, I found the note about global authentication manager instances within the documentation for @EnableWebSecurity and @EnableGlobalAuthentication
And thus found success using:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) { ... }
and NOT overriding protected void configure(AuthenticationManagerBuilder auth)
I've since looked more closely at the docs and have seen that the most popular way of configuring the AMB is from via the autowired setter.
My main query is:
What's the point in this overridable method in WebSecurityConfigurerAdapter?
The API docs mention "Configuring AuthenticationManagerBuilder in a class without the EnableGlobalAuthentication annotation has unpredictable results."
Surely it should always be the global instance? Why couldn't the override just provide the global instance of the AMB?
It does seem to work fine when there's only one chain in play, it just breaks when there's more than one.
Thanks
Rob