Add a method named authenticationProviders() in HttpSecurityBuilder #14586

ghusta · 2024-02-12T11:44:31Z

Could you consider adding a method authenticationProviders() in interface HttpSecurityBuilder ?

It could take varargs or List as parameter.

Expected Behavior

It would make it more obvious that HttpSecurity can accept multiple Authentication Providers.

Current Behavior

httpSecurity.authenticationProvider() must be called multiple times. The order is of course important.

Currently, ProviderManager already supports this behaviour, with constructors like :

public ProviderManager(AuthenticationProvider... providers)
public ProviderManager(List<AuthenticationProvider> providers)

Related with #11428 ?

The text was updated successfully, but these errors were encountered:

jzheaux · 2024-02-12T16:02:53Z

Hi, @ghusta. I see your point about how taking a varargs would make the ordering clearer. I suppose the concern would be now it might seem like authenticationProvider and authenticationProviders would conflict. It wouldn't get rid of the ordering issue since I suppose you could reasonably call authenticationProviders and authenticationProvider in the same stack unless authenticationProvider is also deprecated.

Just curious, have you considered using .authenticationManager instead? As you pointed out, ProviderManager already communicates the possibility of multiple providers. Using this method also aligns with #11428 since that ticket indicates that .authenticationProvider may eventually go away.

ghusta · 2024-02-12T17:04:20Z

I don't really think that authenticationProvider and authenticationProviders would conflict.

As authentication providers are stored in a List in AuthenticationManagerBuilder, I imagine it would not be different to using List.add() and List.addAll(), in whatever order.

I'm just wondering if it's worth working on it, depending of the plans to deprecate AuthenticationProvider.

And yes, maybe it's more logical or natural to configure HttpSecurity following this pattern :

httpSecurity > authenticationManager( new ProviderManager( List of AuthenticationProvider ) )

jzheaux · 2024-02-12T21:20:35Z

@ghusta, good points. I think let's hold off, given that folks can already use authenticationManager.

ghusta added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Feb 12, 2024

jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 12, 2024

spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 12, 2024

jzheaux closed this as completed Feb 12, 2024

jzheaux added status: declined A suggestion or change that we don't feel we should currently apply and removed status: feedback-provided Feedback has been provided labels Feb 12, 2024

jzheaux self-assigned this Feb 12, 2024

jzheaux added the in: config An issue in spring-security-config label Feb 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add a method named authenticationProviders() in HttpSecurityBuilder #14586

Add a method named authenticationProviders() in HttpSecurityBuilder #14586

ghusta commented Feb 12, 2024

jzheaux commented Feb 12, 2024

ghusta commented Feb 12, 2024

jzheaux commented Feb 12, 2024

Add a method named authenticationProviders() in HttpSecurityBuilder #14586

Add a method named authenticationProviders() in HttpSecurityBuilder #14586

Comments

ghusta commented Feb 12, 2024

jzheaux commented Feb 12, 2024

ghusta commented Feb 12, 2024

jzheaux commented Feb 12, 2024