Spring-security: any difference between @Autowired AuthenticationManager and @Override configure(AuthenticationManagerBuilder auth)

Created on 24 Sep 2017  路  3Comments  路  Source: spring-projects/spring-security

Hi , I am using springboot + spring security

i want to config the AuthenticationManager , i hava reading the spring security docs and some springboot security config,but find two way to config

  1. using @Autowired
@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("admin").password("admin").roles("USER");
    }
}

2 using @Override

@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("admin").password("admin").roles("USER");
    }
}

and the second way maybe also @Override this method,otherwise may cause some mistake(i am not sure)

@Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
}

so my question is : what is the difference bt two cases? another question is i see some issues discuss the
local and global AuthenticationManager , according to me, AuthenticationManager is only one ,
isn't it ? I'm confused.

picture lexburner
👍61

Most helpful comment

configureGlobal makes the AuthenticationManager available to the entire application (i.e. other WebSecurityConfigurerAdapter instances, method security, etc)

The protected configure is like an anonymous inner bean where the scope is limited to that of this WebSecurityConfigurerAdapter.

If you need it exposed as a Bean, you can use authenticationManagerBean.

Alternatively, you can also just expose one of a UserDetailsService, AuthenticationProvider, or AuthenticationManger as a Bean.

picture rwinch on 24 Sep 2017
👍9

All 3 comments

configureGlobal makes the AuthenticationManager available to the entire application (i.e. other WebSecurityConfigurerAdapter instances, method security, etc)

The protected configure is like an anonymous inner bean where the scope is limited to that of this WebSecurityConfigurerAdapter.

If you need it exposed as a Bean, you can use authenticationManagerBean.

Alternatively, you can also just expose one of a UserDetailsService, AuthenticationProvider, or AuthenticationManger as a Bean.

rwinch picture rwinch on 24 Sep 2017
👍9

I'm closing this issue. Please reopen if you have further questions

rwinch picture rwinch on 24 Sep 2017

@rwinch I'm a little confused by your

configureGlobal makes the AuthenticationManager available to the entire application

statement. If I use configureGlobal method like first method shown by @lexburner and @Autowired it in my service, I get following error on running application: 

Field authenticationManager in [classpath].AuthService required a bean of type 'org.springframework.security.authentication.AuthenticationManager' that could not be found.
Action:
Consider defining a bean of type 'org.springframework.security.authentication.AuthenticationManager' in your configuration.

The second method is fine, but I'm not able to use inMemoryAuthentication() or InMemoryUserDetailsManagerConfigurer that way.
Not sure if this should be a new issue, though.

coffman21 picture coffman21 on 9 Aug 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

qq494679975 picture qq494679975  路  3Comments
berniegp picture berniegp  路  3Comments
mageddo picture mageddo  路  4Comments
mraible picture mraible  路  3Comments
donhuvy picture donhuvy  路  3Comments