search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.79k stars 5.9k forks source link

any difference between @Autowired AuthenticationManager and @Override configure(AuthenticationManagerBuilder auth) #4571

Closed lexburner closed 7 years ago

lexburner commented 7 years ago

Hi , I am using springboot + spring security

i want to config the AuthenticationManager , i hava reading the spring security docs and some springboot security config,but find two way to config

  1. using @Autowired
@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("admin").password("admin").roles("USER");
    }
}

2 using @Override

@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("admin").password("admin").roles("USER");
    }
}

and the second way maybe also @Override this method,otherwise may cause some mistake(i am not sure)

@Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
}

so my question is : what is the difference bt two cases? another question is i see some issues discuss the
local and global AuthenticationManager , according to me, AuthenticationManager is only one ,
isn't it ? I'm confused.

rwinch commented 7 years ago

configureGlobal makes the AuthenticationManager available to the entire application (i.e. other WebSecurityConfigurerAdapter instances, method security, etc)

The protected configure is like an anonymous inner bean where the scope is limited to that of this WebSecurityConfigurerAdapter.

If you need it exposed as a Bean, you can use authenticationManagerBean.

Alternatively, you can also just expose one of a UserDetailsService, AuthenticationProvider, or AuthenticationManger as a Bean.

rwinch commented 7 years ago

I'm closing this issue. Please reopen if you have further questions

coffman21 commented 6 years ago

@rwinch I'm a little confused by your

configureGlobal makes the AuthenticationManager available to the entire application

statement. If I use configureGlobal method like first method shown by @lexburner and @Autowired it in my service, I get following error on running application: 

Field authenticationManager in [classpath].AuthService required a bean of type 'org.springframework.security.authentication.AuthenticationManager' that could not be found.
Action:
Consider defining a bean of type 'org.springframework.security.authentication.AuthenticationManager' in your configuration.

The second method is fine, but I'm not able to use inMemoryAuthentication() or InMemoryUserDetailsManagerConfigurer that way.
Not sure if this should be a new issue, though.