ProviderManager logic

**heikki** · Oct 25th, 2010, 05:22 AM

hello,

I have a question about the default behaviour of org.springframework.security.authentication.Provid erManager.

From reading the Spring Security 3 book (see e.g. the flow diagram at page 40, introduced by "Let's get into a little more detail and look specifically at the classes involved in the processing of a web-based username and password authentication request:"), it seems to me that supposedly all the configured AuthenticationProviders are tried that support the current authentication method, and as soon as one of them does support it, it should either succesfully authenticate or fail the authentication by throwing an AuthenticationException. In either case, then the loop (of trying AuthenticationProviders) is stopped.

However when looking at the code (3.0.3 RELEASE), it does not seem to me this works like that. If I read the code correctly, in case of a succesful authentication it will indeed break out of the loop, but in case of an AuthenticationException (i.e. authentication failed), it will just happily loop on to try the next.

The relevant code is (slightly simplified)

Code:

AuthenticationException lastException = null;
Authentication result = null;

for (AuthenticationProvider provider : getProviders()) {
 if (!provider.supports(toTest)) {
  continue;
 }

 try {
  result = provider.authenticate(authentication);
  if (result != null) {
   copyDetails(authentication, result);
   break;
  }
 }
 catch (AuthenticationException e) {
  lastException = e;
 }
}

Could anyone please enlighten me how this works ?

Kind regards
Heikki Doeleman

**Rob Winch** · Oct 25th, 2010, 10:49 AM

I can only speak on behalf of what actually occurs since I do not own the book. So long as it is not an AccountStatusException that is thrown, the ProviderManager will continue to try the other AuthenticationProviders until one succeeds.

**pmularien** · Oct 25th, 2010, 11:23 AM

Hello Heikki,

You are correct in your analysis of the code. Unfortunately, I had to cut down the complexity of that diagram, as it was one of the first ones, and I didn't want to overwhelm people early on

It is important to note that the exception reported is the last exception from any supporting provider, so (I have had to answer this question before, IIRC), if you have multiple providers failing with exception, you will typically only see a report of the last one.

Hope that helps!

Peter

**heikki** · Oct 25th, 2010, 11:35 AM

hello,

thanks, it's completely clear. I would still suggest if there comes a new edition of the book, maybe you could change the flow chart or else describe the behaviour as it actually is in a few additional lines? As it is now, it makes people think it is different from what it really is ..

many thanks for your fast responses
Kind regards
Heikki Doeleman

Thread: ProviderManager logic

Thread Tools

Display

ProviderManager logic

Tags for this Thread

Posting Permissions