Hello, thanks for your answer!
Quote Originally Posted by rwinch View Post
Theoretically you can replace Spring Security with another framework....so yes they can be replaced. Even if you stuck with Spring Security it could be replaced, but under most circumstances you will not need to and that is why http configuration does not allow you to replace them (bean configuration lets you do whatever you want though).
that sounds understandable - thanks!
I can see how you might have mistook what you read to mean that the UsernamePasswordAuthenticationFilter is required, but if you re-read it you might be able to interpret it differently.
you're right


How Authentication is determined is highlighted in the Authentication section of the reference. In short, the SecurityContextHolder is consulted. However you want to populate that is up to you.
so, generally, I do not have to use the AuthenticationManager, as long as I can put somehow a verified Authentication Object in my SecurityContext?

but in general most of the authentication possibilities which Spring Security offers use the AuthenticationManager, just like pmularien said

if these two sentences are correct, I guess, I finally understand it