Spring Security Framework

Class ProviderManager

  extended by org.springframework.security.AbstractAuthenticationManager
      extended by org.springframework.security.providers.ProviderManager
All Implemented Interfaces:
InitializingBean, ApplicationEventPublisherAware, MessageSourceAware, AuthenticationManager
Direct Known Subclasses:

public class ProviderManager
extends AbstractAuthenticationManager
implements InitializingBean, MessageSourceAware, ApplicationEventPublisherAware

Iterates an Authentication request through a list of AuthenticationProviders. Can optionally be configured with a ConcurrentSessionController to limit the number of sessions a user can have.

AuthenticationProviders are usually tried in order until one provides a non-null response. A non-null response indicates the provider had authority to decide on the authentication request and no further providers are tried. If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded and the successful authentication will be used. If no subsequent provider provides a non-null response, or a new AuthenticationException, the last AuthenticationException received will be used. If no provider returns a non-null response, or indicates it can even process an Authentication, the ProviderManager will throw a ProviderNotFoundException.

The exception to this process is when a provider throws an AccountStatusException or if the configured concurrent session controller throws a ConcurrentLoginException. In both these cases, no further providers in the list will be queried.

If a valid Authentication is returned by an AuthenticationProvider, the ProviderManager will publish an AuthenticationSuccessEvent. If an AuthenticationException is detected, the final AuthenticationException thrown will be used to publish an appropriate failure event. By default ProviderManager maps common exceptions to events, but this can be fine-tuned by providing a new exceptionMappingsjava.util.Properties object. In the properties object, each of the keys represent the fully qualified classname of the exception, and each of the values represent the name of an event class which subclasses AbstractAuthenticationFailureEvent and provides its constructor.

Ben Alex
See Also:

Field Summary
protected  MessageSourceAccessor messages
Constructor Summary
Method Summary
 void afterPropertiesSet()
 Authentication doAuthentication(Authentication authentication)
          Attempts to authenticate the passed Authentication object.
 List getProviders()
 ConcurrentSessionController getSessionController()
          The configured ConcurrentSessionController is returned or the NullConcurrentSessionController if a specific one has not been set.
 void setAdditionalExceptionMappings(Properties additionalExceptionMappings)
          Sets additional exception to event mappings.
 void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
 void setMessageSource(MessageSource messageSource)
 void setProviders(List providers)
          Sets the AuthenticationProvider objects to be used for authentication.
 void setSessionController(ConcurrentSessionController sessionController)
          Set the ConcurrentSessionController to be used for limiting users' sessions.
Methods inherited from class org.springframework.security.AbstractAuthenticationManager
authenticate, setClearExtraInformation
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail


protected MessageSourceAccessor messages
Constructor Detail


public ProviderManager()
Method Detail


public void afterPropertiesSet()
                        throws Exception
Specified by:
afterPropertiesSet in interface InitializingBean


public Authentication doAuthentication(Authentication authentication)
                                throws AuthenticationException
Attempts to authenticate the passed Authentication object.

The list of AuthenticationProviders will be successively tried until an AuthenticationProvider indicates it is capable of authenticating the type of Authentication object passed. Authentication will then be attempted with that AuthenticationProvider.

If more than one AuthenticationProvider supports the passed Authentication object, only the first AuthenticationProvider tried will determine the result. No subsequent AuthenticationProviders will be tried.

Specified by:
doAuthentication in class AbstractAuthenticationManager
authentication - the authentication request object.
a fully authenticated object including credentials.
AuthenticationException - if authentication fails.


public List getProviders()


public ConcurrentSessionController getSessionController()
The configured ConcurrentSessionController is returned or the NullConcurrentSessionController if a specific one has not been set.

ConcurrentSessionController instance


public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
Specified by:
setApplicationEventPublisher in interface ApplicationEventPublisherAware


public void setMessageSource(MessageSource messageSource)
Specified by:
setMessageSource in interface MessageSourceAware


public void setProviders(List providers)
Sets the AuthenticationProvider objects to be used for authentication.

providers - the list of authentication providers which will be used to process authentication requests.
IllegalArgumentException - if the list is empty or null, or any of the elements in the list is not an AuthenticationProvider instance.


public void setSessionController(ConcurrentSessionController sessionController)
Set the ConcurrentSessionController to be used for limiting users' sessions. The NullConcurrentSessionController is used by default.

sessionController - ConcurrentSessionController


public void setAdditionalExceptionMappings(Properties additionalExceptionMappings)
Sets additional exception to event mappings. These are automatically merged with the default exception to event mappings that ProviderManager defines.

additionalExceptionMappings - where keys are the fully-qualified string name of the exception class and the values are the fully-qualified string name of the event class to fire.

Spring Security Framework

Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.