Skip to content

Commit 429caea

Browse files
committed
Fix bug with multiple AuthenticationManager beans
Closes gh-9256
1 parent 8c93d95 commit 429caea

File tree

2 files changed

+86
-2
lines changed

2 files changed

+86
-2
lines changed

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,6 @@ void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
6060
this.objectPostProcessor = objectPostProcessor;
6161
}
6262

63-
@Autowired(required = false)
6463
void setAuthenticationManager(AuthenticationManager authenticationManager) {
6564
this.authenticationManager = authenticationManager;
6665
}

config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java

Lines changed: 86 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,14 +41,19 @@
4141
import org.springframework.security.access.expression.SecurityExpressionHandler;
4242
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
4343
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
44+
import org.springframework.security.authentication.AuthenticationManager;
45+
import org.springframework.security.authentication.AuthenticationProvider;
46+
import org.springframework.security.authentication.ProviderManager;
4447
import org.springframework.security.authentication.TestingAuthenticationToken;
48+
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
4549
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
4650
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
4751
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
4852
import org.springframework.security.config.annotation.web.builders.WebSecurity;
4953
import org.springframework.security.config.test.SpringTestRule;
5054
import org.springframework.security.config.users.AuthenticationTestConfiguration;
5155
import org.springframework.security.core.Authentication;
56+
import org.springframework.security.core.AuthenticationException;
5257
import org.springframework.security.web.FilterChainProxy;
5358
import org.springframework.security.web.FilterInvocation;
5459
import org.springframework.security.web.SecurityFilterChain;
@@ -253,7 +258,6 @@ public void loadConfigWhenBothAdapterAndFilterChainConfiguredThenException() {
253258
.isThrownBy(() -> this.spring.register(AdapterAndFilterChainConfig.class).autowire())
254259
.withRootCauseExactlyInstanceOf(IllegalStateException.class)
255260
.withMessageContaining("Found WebSecurityConfigurerAdapter as well as SecurityFilterChain.");
256-
257261
}
258262

259263
@Test
@@ -326,6 +330,19 @@ public void loadConfigWhenCustomizerAndAdapterConfigureWebSecurityThenBothConfig
326330
assertThat(filterChains.get(1).getFilters()).isEmpty();
327331
}
328332

333+
@Test
334+
public void loadConfigWhenMultipleAuthenticationManagersAndWebSecurityConfigurerAdapterThenConfigurationApplied() {
335+
this.spring.register(MultipleAuthenticationManagersConfig.class).autowire();
336+
FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
337+
List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
338+
assertThat(filterChains).hasSize(2);
339+
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
340+
request.setServletPath("/role1");
341+
assertThat(filterChains.get(0).matches(request)).isTrue();
342+
request.setServletPath("/role2");
343+
assertThat(filterChains.get(1).matches(request)).isTrue();
344+
}
345+
329346
@EnableWebSecurity
330347
@Import(AuthenticationTestConfiguration.class)
331348
static class SortedWebSecurityConfigurerAdaptersConfig {
@@ -834,4 +851,72 @@ public void configure(WebSecurity web) throws Exception {
834851

835852
}
836853

854+
@EnableWebSecurity
855+
static class MultipleAuthenticationManagersConfig {
856+
857+
@Bean("authManager1")
858+
static AuthenticationManager authenticationManager1() {
859+
return new ProviderManager(new AuthenticationProvider() {
860+
@Override
861+
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
862+
return new UsernamePasswordAuthenticationToken("user", "credentials");
863+
}
864+
865+
@Override
866+
public boolean supports(Class<?> authentication) {
867+
return false;
868+
}
869+
});
870+
}
871+
872+
@Bean("authManager2")
873+
static AuthenticationManager authenticationManager2() {
874+
return new ProviderManager(new AuthenticationProvider() {
875+
@Override
876+
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
877+
return new UsernamePasswordAuthenticationToken("subuser", "credentials");
878+
}
879+
880+
@Override
881+
public boolean supports(Class<?> authentication) {
882+
return false;
883+
}
884+
});
885+
}
886+
887+
@Configuration
888+
@Order(1)
889+
public static class SecurityConfig1 extends WebSecurityConfigurerAdapter {
890+
891+
@Override
892+
protected AuthenticationManager authenticationManager() {
893+
return authenticationManager1();
894+
}
895+
896+
@Override
897+
protected void configure(HttpSecurity http) throws Exception {
898+
// @formatter:off
899+
http
900+
.antMatcher("/role1/**")
901+
.authorizeRequests((authorize) -> authorize
902+
.anyRequest().hasRole("1")
903+
);
904+
// @formatter:on
905+
}
906+
907+
}
908+
909+
@Configuration
910+
@Order(2)
911+
public static class SecurityConfig2 extends WebSecurityConfigurerAdapter {
912+
913+
@Override
914+
protected AuthenticationManager authenticationManager() {
915+
return authenticationManager2();
916+
}
917+
918+
}
919+
920+
}
921+
837922
}

0 commit comments

Comments
 (0)