public class ProviderManager extends Object implements AuthenticationManager, MessageSourceAware, InitializingBean
Authentication request through a list of AuthenticationProviders.
AuthenticationProviders are usually tried in order until one provides a non-null response.
A non-null response indicates the provider had authority to decide on the authentication request and no further
providers are tried.
If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded
and the successful authentication will be used. If no subsequent provider provides a non-null response, or a new
AuthenticationException, the last AuthenticationException received will be used.
If no provider returns a non-null response, or indicates it can even process an Authentication,
the ProviderManager will throw a ProviderNotFoundException.
A parent AuthenticationManager can also be set, and this will also be tried if none of the configured
providers can perform the authentication. This is intended to support namespace configuration options though and
is not a feature that should normally be required.
The exception to this process is when a provider throws an AccountStatusException, in which case no
further providers in the list will be queried.
Post-authentication, the credentials will be cleared from the returned Authentication object, if it
implements the CredentialsContainer interface. This behaviour can be controlled by modifying the
eraseCredentialsAfterAuthentication property.
Authentication event publishing is delegated to the configured AuthenticationEventPublisher which defaults
to a null implementation which doesn't publish events, so if you are configuring the bean yourself you must inject
a publisher bean if you want to receive events. The standard implementation is DefaultAuthenticationEventPublisher
which maps common exceptions to events (in the case of authentication failure) and publishes an
AuthenticationSuccessEvent if
authentication succeeds. If you are using the namespace then an instance of this bean will be used automatically by
the <http> configuration, so you will receive events from the web part of your application automatically.
Note that the implementation also publishes authentication failure events when it obtains an authentication result
(or an exception) from the "parent" AuthenticationManager if one has been set. So in this situation, the
parent should not generally be configured to publish events or there will be duplicates.
DefaultAuthenticationEventPublisher| Modifier and Type | Field and Description |
|---|---|
protected MessageSourceAccessor |
messages |
| Constructor and Description |
|---|
ProviderManager(List<AuthenticationProvider> providers) |
ProviderManager(List<AuthenticationProvider> providers,
AuthenticationManager parent) |
| Modifier and Type | Method and Description |
|---|---|
void |
afterPropertiesSet() |
Authentication |
authenticate(Authentication authentication)
Attempts to authenticate the passed
Authentication object. |
List<AuthenticationProvider> |
getProviders() |
boolean |
isEraseCredentialsAfterAuthentication() |
void |
setAuthenticationEventPublisher(AuthenticationEventPublisher eventPublisher) |
void |
setEraseCredentialsAfterAuthentication(boolean eraseSecretData)
If set to, a resulting
Authentication which implements the CredentialsContainer interface
will have its eraseCredentials method called before it is returned
from the authenticate() method. |
void |
setMessageSource(MessageSource messageSource) |
protected MessageSourceAccessor messages
public ProviderManager(List<AuthenticationProvider> providers)
public ProviderManager(List<AuthenticationProvider> providers, AuthenticationManager parent)
public void afterPropertiesSet()
throws Exception
afterPropertiesSet in interface InitializingBeanExceptionpublic Authentication authenticate(Authentication authentication) throws AuthenticationException
Authentication object.
The list of AuthenticationProviders will be successively tried until an
AuthenticationProvider indicates it is capable of authenticating the type of
Authentication object passed. Authentication will then be attempted with that
AuthenticationProvider.
If more than one AuthenticationProvider supports the passed Authentication
object, only the first AuthenticationProvider tried will determine the result. No subsequent
AuthenticationProviders will be tried.
authenticate in interface AuthenticationManagerauthentication - the authentication request object.AuthenticationException - if authentication fails.public List<AuthenticationProvider> getProviders()
public void setMessageSource(MessageSource messageSource)
setMessageSource in interface MessageSourceAwarepublic void setAuthenticationEventPublisher(AuthenticationEventPublisher eventPublisher)
public void setEraseCredentialsAfterAuthentication(boolean eraseSecretData)
Authentication which implements the CredentialsContainer interface
will have its eraseCredentials method called before it is returned
from the authenticate() method.eraseSecretData - set to false to retain the credentials data in memory.
Defaults to true.public boolean isEraseCredentialsAfterAuthentication()