If you want to not continue running the next authentication configuration as soon as one authentication is passed, you can use `AuthenticationManager` and `ProviderManager` in Spring Security to achieve this.
`ProviderManager` is one of the core components of Spring Security and is responsible for managing a series of authentication providers. By default, it attempts to authenticate using each provider in turn until one succeeds or all fail.
However, you can customize an `AuthenticationManager` and configure it to only use the first authentication provider that succeeds. This way, if the first provider authenticates successfully, subsequent providers will not be tried.
Here's a simple example:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider usernamePasswordAuthProvider;
@Autowired
private TokenAuthenticationProvider tokenAuthProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(usernamePasswordAuthProvider)
.authenticationProvider(tokenAuthProvider);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return new ProviderManager(Arrays.asList(usernamePasswordAuthProvider, tokenAuthProvider));
}
}In the above example, the `ProviderManager` will be configured to authenticate in the order of the provider list, and only after the first provider successfully authenticates, subsequent providers will not be tried. This way, if the first provider authenticates successfully, it will not proceed to the next provider.
`ProviderManager` is the core authentication manager in Spring Security, responsible for managing a series of authentication providers. Its principle is based on the Chain of Responsibility Pattern, in which each provider is tried in turn during the verification process until one provider succeeds in verification or all verifications fail.
Specifically, `ProviderManager` works as follows:
1. **Authentication process triggered:** When a request requires authentication, Spring Security's filter chain triggers the authentication process. `ProviderManager` is called to do the actual authentication.
2. **Authentication provider list:** `ProviderManager` receives one or more authentication providers that implement the `AuthenticationProvider` interface. Each provider is responsible for different authentication methods, such as username and password verification, token verification, etc.
3. **Try verification one by one:** `ProviderManager` will try to call the `authenticate` method of the provider one by one in the order of the provider list for verification. If a provider successfully authenticates its identity, it returns an `Authentication` object indicating that the authentication was successful.
4. **Authentication Abort:** If any provider authenticates successfully, `ProviderManager` will immediately stop subsequent provider authentication attempts and return a successful `Authentication` object to the caller. This is why as long as one provider is verified, subsequent providers will not be tried again.
5. **All authentication failed:** If all providers are unable to authenticate, the `ProviderManager` will throw an appropriate exception to indicate the authentication failure.
In this way, when `ProviderManager` implements multiple authentication methods, it can ensure that as long as one authentication passes, subsequent authentication attempts will be stopped, thereby achieving the effect of not continuing to run the next one as long as one authentication passes. This is useful for scenarios that support multiple authentication methods and can implement different authentication logic based on different authentication providers.