Can someone tell me the difference between an AuthenticationManager
and an AuthenticationProvider
in Spring Security?
How are they used and how
I think the AuthenticationManager
delegates the fetching of persistent user information to one or more AuthenticationProvider
s. The authentication-providers (DaoAuthenticationProvider, JaasAuthenticationProvider, LdapAuthenticationProvider, OpenIDAuthenticationProvider
for example) specialize in accessing specific user-info repositories.
Something else is mentioned in this part of the reference manual. It says:
You may want to register additional AuthenticationProvider beans with the ProviderManager and you can do this using the element with the ref attribute, where the value of the attribute is the name of the provider bean you want to add.
In other words, you can specify multiple AuthenticationProviders, for example one that looks for users in an LDAP database and another that looks in an SQL database.
From spring reference
The
AuthenticationManager
is just an interface, so the implementation can be anything we chooseThe default implementation in Spring Security is called
ProviderManager
and rather than handling the authentication request itself, it delegates to a list of configuredAuthenticationProvider
s, each of which is queried in turn to see if it can perform the authentication. Each provider will either throw an exception or return a fully populatedAuthentication
object.
Also if you check the source code for AuthenticationManager
, ProviderManager
and AuthenticationProvider
you can see this clearly.
ProviderManager
implements the AuthenticationManager
interface and it has list of AuthenticationProviders. So if you want to have custom authentication mechanism, you'll need to implement new AuthenticationProvider
.
Both AuthenticationManager and AuthenticationProvider are interfaces. They have different functionalities in the Spring Security Flow.
Ref-
Spring Boot + Spring Security Architecture