Class ProviderManager
- java.lang.Object
-
- org.springframework.security.authentication.ProviderManager
-
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.MessageSourceAware
,AuthenticationManager
public class ProviderManager extends java.lang.Object implements AuthenticationManager, org.springframework.context.MessageSourceAware, org.springframework.beans.factory.InitializingBean
Iterates anAuthentication
request through a list ofAuthenticationProvider
s.AuthenticationProviders are usually tried in order until one provides a non-null response. A non-null response indicates the provider had authority to decide on the authentication request and no further providers are tried. If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded and the successful authentication will be used. If no subsequent provider provides a non-null response, or a new
AuthenticationException
, the lastAuthenticationException
received will be used. If no provider returns a non-null response, or indicates it can even process anAuthentication
, theProviderManager
will throw aProviderNotFoundException
. A parentAuthenticationManager
can also be set, and this will also be tried if none of the configured providers can perform the authentication. This is intended to support namespace configuration options though and is not a feature that should normally be required.The exception to this process is when a provider throws an
AccountStatusException
, in which case no further providers in the list will be queried. Post-authentication, the credentials will be cleared from the returnedAuthentication
object, if it implements theCredentialsContainer
interface. This behaviour can be controlled by modifying theeraseCredentialsAfterAuthentication
property.Event Publishing
Authentication event publishing is delegated to the configured
AuthenticationEventPublisher
which defaults to a null implementation which doesn't publish events, so if you are configuring the bean yourself you must inject a publisher bean if you want to receive events. The standard implementation isDefaultAuthenticationEventPublisher
which maps common exceptions to events (in the case of authentication failure) and publishes anAuthenticationSuccessEvent
if authentication succeeds. If you are using the namespace then an instance of this bean will be used automatically by the <http> configuration, so you will receive events from the web part of your application automatically.Note that the implementation also publishes authentication failure events when it obtains an authentication result (or an exception) from the "parent"
AuthenticationManager
if one has been set. So in this situation, the parent should not generally be configured to publish events or there will be duplicates.- See Also:
DefaultAuthenticationEventPublisher
-
-
Field Summary
Fields Modifier and Type Field Description protected org.springframework.context.support.MessageSourceAccessor
messages
-
Constructor Summary
Constructors Constructor Description ProviderManager(java.util.List<AuthenticationProvider> providers)
ProviderManager(java.util.List<AuthenticationProvider> providers, AuthenticationManager parent)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
Authentication
authenticate(Authentication authentication)
Attempts to authenticate the passedAuthentication
object.java.util.List<AuthenticationProvider>
getProviders()
boolean
isEraseCredentialsAfterAuthentication()
void
setAuthenticationEventPublisher(AuthenticationEventPublisher eventPublisher)
void
setEraseCredentialsAfterAuthentication(boolean eraseSecretData)
If set to, a resultingAuthentication
which implements theCredentialsContainer
interface will have itseraseCredentials
method called before it is returned from theauthenticate()
method.void
setMessageSource(org.springframework.context.MessageSource messageSource)
-
-
-
Constructor Detail
-
ProviderManager
public ProviderManager(java.util.List<AuthenticationProvider> providers)
-
ProviderManager
public ProviderManager(java.util.List<AuthenticationProvider> providers, AuthenticationManager parent)
-
-
Method Detail
-
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
-
authenticate
public Authentication authenticate(Authentication authentication) throws AuthenticationException
Attempts to authenticate the passedAuthentication
object.The list of
AuthenticationProvider
s will be successively tried until anAuthenticationProvider
indicates it is capable of authenticating the type ofAuthentication
object passed. Authentication will then be attempted with thatAuthenticationProvider
.If more than one
AuthenticationProvider
supports the passedAuthentication
object, the first one able to successfully authenticate theAuthentication
object determines theresult
, overriding any possibleAuthenticationException
thrown by earlier supportingAuthenticationProvider
s. On successful authentication, no subsequentAuthenticationProvider
s will be tried. If authentication was not successful by any supportingAuthenticationProvider
the last thrownAuthenticationException
will be rethrown.- Specified by:
authenticate
in interfaceAuthenticationManager
- Parameters:
authentication
- the authentication request object.- Returns:
- a fully authenticated object including credentials.
- Throws:
AuthenticationException
- if authentication fails.
-
getProviders
public java.util.List<AuthenticationProvider> getProviders()
-
setMessageSource
public void setMessageSource(org.springframework.context.MessageSource messageSource)
- Specified by:
setMessageSource
in interfaceorg.springframework.context.MessageSourceAware
-
setAuthenticationEventPublisher
public void setAuthenticationEventPublisher(AuthenticationEventPublisher eventPublisher)
-
setEraseCredentialsAfterAuthentication
public void setEraseCredentialsAfterAuthentication(boolean eraseSecretData)
If set to, a resultingAuthentication
which implements theCredentialsContainer
interface will have itseraseCredentials
method called before it is returned from theauthenticate()
method.- Parameters:
eraseSecretData
- set to false to retain the credentials data in memory. Defaults to true.
-
isEraseCredentialsAfterAuthentication
public boolean isEraseCredentialsAfterAuthentication()
-
-