Announcement Announcement Module
No announcement yet.
Multiple ProviderManagers ignoring custom AuthenticationProvider Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple ProviderManagers ignoring custom AuthenticationProvider

    I have a custom AuthenticationProvider (basically a POJO-based DAO UserDetailsService) that handles loading users from the Postgres DB. I've tried to configure Spring Security 3 to use this custom AuthenticationProvider and I simply cannot get it to use my custom provider.

    I set a breakpoint on the "getProviders" method of ProviderManager and it is throwing an exception saying I don't have any AuthenticationProviders configured. This is hooey. I've tried configuring the ProviderManager using the namespace handler and using a straight bean configuration, using the special bean id of " r". In the debugger, the ProviderManager it's looking at is NOT the one I configured in my application context. If a ProviderManager has a parent set, why doesn't it bounce the call to getProviders up the chain? I can see that this other ProviderManager (that I didn't configure and appears to be created magically) is being configured with the ProviderManager I DID configure as the parent, but that doesn't make any difference because it's not using it to find the provider to use.

    What am I doing wrong here? This seems like it should be a simple thing. All the messages on this forum that relate to a problem like this simply direct people to the documentation (which I've read 3 times), so I guess I'm the only one using a custom AuthenticationProvider and Spring 3 and having trouble getting it working?

    I've tried configuring using beans like (authProvider is a bean that extends AbstractUserDetailsAuthenticationProvider):

      <bean id=""
        <property name="providers">
            <ref bean="authProvider"/>

        <security:authentication-provider ref="authProvider"/>
    Both configurations result in the exception:

    java.lang.IllegalArgumentException: A list of AuthenticationProviders is required
    Please help!

  • #2
    Could be a bug. Please post a test case to Jira with your full configuration.


    • #3
      I'm guessing you are using an <http> block in your configuration and have disabled anonymous authentication (i.e. you have <anonymous enabled='false' />) ? If so, then it is a bug.


      • #4
        Originally posted by Luke Taylor View Post
        I'm guessing you are using an <http> block in your configuration and have disabled anonymous authentication (i.e. you have <anonymous enabled='false' />) ? If so, then it is a bug.
        Right on the money.

        So how do I work around this issue in the meantime? Is there a way I can "simulate" having anonymous authentication turned off? Do I need to throw an exception or something in my custom decision manager if I see anonymous logged in?

        Thanks for the help.

        UPDATE: I added code to my custom AccessDecisionManager to throw an InsufficientAuthenticationException if ROLE_ANONYMOUS is detected in the GrantedAuthoritys. This is not ideal, but forces a login prompt at least, and is basically what I wanted with <security:anonymous enabled='false'/>.
        Last edited by J. Brisbin; Dec 7th, 2009, 02:12 PM.