Multiple ProviderManagers ignoring custom AuthenticationProvider

[J. Brisbin]

I have a custom AuthenticationProvider (basically a POJO-based DAO UserDetailsService) that handles loading users from the Postgres DB. I've tried to configure Spring Security 3 to use this custom AuthenticationProvider and I simply cannot get it to use my custom provider.

I set a breakpoint on the "getProviders" method of ProviderManager and it is throwing an exception saying I don't have any AuthenticationProviders configured. This is hooey. I've tried configuring the ProviderManager using the namespace handler and using a straight bean configuration, using the special bean id of "org.springframework.security.authenticationManage r". In the debugger, the ProviderManager it's looking at is NOT the one I configured in my application context. If a ProviderManager has a parent set, why doesn't it bounce the call to getProviders up the chain? I can see that this other ProviderManager (that I didn't configure and appears to be created magically) is being configured with the ProviderManager I DID configure as the parent, but that doesn't make any difference because it's not using it to find the provider to use.

What am I doing wrong here? This seems like it should be a simple thing. All the messages on this forum that relate to a problem like this simply direct people to the documentation (which I've read 3 times), so I guess I'm the only one using a custom AuthenticationProvider and Spring 3 and having trouble getting it working?

I've tried configuring using beans like (authProvider is a bean that extends AbstractUserDetailsAuthenticationProvider):

Code:

  <bean id="org.springframework.security.authenticationManager"
        class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
      <list>
        <ref bean="authProvider"/>
      </list>
    </property>
  </bean>

and:

Code:

  <security:authentication-manager>
    <security:authentication-provider ref="authProvider"/>
  </security:authentication-manager>

Both configurations result in the exception:

Code:

java.lang.IllegalArgumentException: A list of AuthenticationProviders is required
	at org.springframework.security.authentication.ProviderManager.getProviders(ProviderManager.java:182)
	at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:113)
	at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:98)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	etc...

Please help!

[Luke Taylor]

Could be a bug. Please post a test case to Jira with your full configuration.

[Luke Taylor]

I'm guessing you are using an <http> block in your configuration and have disabled anonymous authentication (i.e. you have <anonymous enabled='false' />) ? If so, then it is a bug.

https://jira.springsource.org/browse/SEC-1317

[J. Brisbin]

I'm guessing you are using an <http> block in your configuration and have disabled anonymous authentication (i.e. you have <anonymous enabled='false' />) ? If so, then it is a bug.

Right on the money.

So how do I work around this issue in the meantime? Is there a way I can "simulate" having anonymous authentication turned off? Do I need to throw an exception or something in my custom decision manager if I see anonymous logged in?

Thanks for the help.

UPDATE: I added code to my custom AccessDecisionManager to throw an InsufficientAuthenticationException if ROLE_ANONYMOUS is detected in the GrantedAuthoritys. This is not ideal, but forces a login prompt at least, and is basically what I wanted with <security:anonymous enabled='false'/>.