java.lang.Object | |
↳ | org.springframework.security.authentication.ProviderManager |
Iterates an Authentication
request through a list of AuthenticationProvider
s.
AuthenticationProviders are usually tried in order until one provides a non-null response.
A non-null response indicates the provider had authority to decide on the authentication request and no further
providers are tried.
If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded
and the successful authentication will be used. If no subsequent provider provides a non-null response, or a new
AuthenticationException
, the last AuthenticationException
received will be used.
If no provider returns a non-null response, or indicates it can even process an Authentication
,
the ProviderManager
will throw a ProviderNotFoundException
.
A parent AuthenticationManager
can also be set, and this will also be tried if none of the configured
providers can perform the authentication. This is intended to support namespace configuration options though and
is not a feature that should normally be required.
The exception to this process is when a provider throws an AccountStatusException
, in which case no
further providers in the list will be queried.
Post-authentication, the credentials will be cleared from the returned Authentication
object, if it
implements the CredentialsContainer
interface. This behaviour can be controlled by modifying the
eraseCredentialsAfterAuthentication
property.
Authentication event publishing is delegated to the configured AuthenticationEventPublisher
which defaults
to a null implementation which doesn't publish events, so if you are configuring the bean yourself you must inject
a publisher bean if you want to receive events. The standard implementation is DefaultAuthenticationEventPublisher
which maps common exceptions to events (in the case of authentication failure) and publishes an
AuthenticationSuccessEvent
if
authentication succeeds. If you are using the namespace then an instance of this bean will be used automatically by
the <http> configuration, so you will receive events from the web part of your application automatically.
Note that the implementation also publishes authentication failure events when it obtains an authentication result
(or an exception) from the "parent" AuthenticationManager
if one has been set. So in this situation, the
parent should not generally be configured to publish events or there will be duplicates.
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
messages |
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
This constructor is deprecated.
Use constructor which takes provider list
| |||||||||||
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Attempts to authenticate the passed
Authentication object. | |||||||||||
This method is deprecated.
the
extraInformation property is deprecated
| |||||||||||
If set to, a resulting
Authentication which implements the CredentialsContainer interface
will have its eraseCredentials method called before it is returned
from the authenticate() method. | |||||||||||
This method is deprecated.
Use constructor injection
| |||||||||||
This method is deprecated.
Use constructor injection
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
| |||||||||||
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
From interface
org.springframework.context.MessageSourceAware
| |||||||||||
From interface
org.springframework.security.authentication.AuthenticationManager
|
This constructor is deprecated.
Use constructor which takes provider list
Attempts to authenticate the passed Authentication
object.
The list of AuthenticationProvider
s will be successively tried until an
AuthenticationProvider
indicates it is capable of authenticating the type of
Authentication
object passed. Authentication will then be attempted with that
AuthenticationProvider
.
If more than one AuthenticationProvider
supports the passed Authentication
object, only the first AuthenticationProvider
tried will determine the result. No subsequent
AuthenticationProvider
s will be tried.
authentication | the authentication request object. |
---|
AuthenticationException | if authentication fails. |
---|
This method is deprecated.
the extraInformation
property is deprecated
If set to true, the extraInformation
set on an AuthenticationException
will be cleared
before rethrowing it. This is useful for use with remoting protocols where the information shouldn't
be serialized to the client. Defaults to 'false'.
If set to, a resulting Authentication
which implements the CredentialsContainer
interface
will have its eraseCredentials
method called before it is returned
from the authenticate()
method.
eraseSecretData | set to false to retain the credentials data in memory. Defaults to true. |
---|
This method is deprecated.
Use constructor injection
This method is deprecated.
Use constructor injection
Sets the AuthenticationProvider
objects to be used for authentication.
providers | the list of authentication providers which will be used to process authentication requests. |
---|
IllegalArgumentException | if the list is empty or null, or any of the elements in the list is not an AuthenticationProvider instance. |
---|