ProviderManager logic

[heikki]

hello,

I have a question about the default behaviour of org.springframework.security.authentication.Provid erManager.

From reading the Spring Security 3 book (see e.g. the flow diagram at page 40, introduced by "Let's get into a little more detail and look specifically at the classes involved in the processing of a web-based username and password authentication request:"), it seems to me that supposedly all the configured AuthenticationProviders are tried that support the current authentication method, and as soon as one of them does support it, it should either succesfully authenticate or fail the authentication by throwing an AuthenticationException. In either case, then the loop (of trying AuthenticationProviders) is stopped.

However when looking at the code (3.0.3 RELEASE), it does not seem to me this works like that. If I read the code correctly, in case of a succesful authentication it will indeed break out of the loop, but in case of an AuthenticationException (i.e. authentication failed), it will just happily loop on to try the next.

The relevant code is (slightly simplified)

Code:

AuthenticationException lastException = null;
Authentication result = null;

for (AuthenticationProvider provider : getProviders()) {
 if (!provider.supports(toTest)) {
  continue;
 }

 try {
  result = provider.authenticate(authentication);
  if (result != null) {
   copyDetails(authentication, result);
   break;
  }
 }
 catch (AuthenticationException e) {
  lastException = e;
 }
}

Could anyone please enlighten me how this works ?

Kind regards
Heikki Doeleman

[Rob Winch]

I can only speak on behalf of what actually occurs since I do not own the book. So long as it is not an AccountStatusException that is thrown, the ProviderManager will continue to try the other AuthenticationProviders until one succeeds.

[pmularien]

Hello Heikki,

You are correct in your analysis of the code. Unfortunately, I had to cut down the complexity of that diagram, as it was one of the first ones, and I didn't want to overwhelm people early on

It is important to note that the exception reported is the last exception from any supporting provider, so (I have had to answer this question before, IIRC), if you have multiple providers failing with exception, you will typically only see a report of the last one.

Hope that helps!

Peter

[heikki]

hello,

thanks, it's completely clear. I would still suggest if there comes a new edition of the book, maybe you could change the flow chart or else describe the behaviour as it actually is in a few additional lines? As it is now, it makes people think it is different from what it really is ..

many thanks for your fast responses
Kind regards
Heikki Doeleman