Home/ Questions/Q 7675753
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T17:02:06+00:00

I have the following bean defined: <sec:authentication-manager alias=authenticationManager> <sec:authentication-provider user-service-ref=userDetailsService /> </sec:authentication-manager> I guess

  • 0

I have the following bean defined:

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider
        user-service-ref="userDetailsService" />
</sec:authentication-manager>

I guess here Spring uses some default implementation of AuthenticationManager.

In my Java code I have:

@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager; // specific for Spring Security

public boolean login(String username, String password) {
    try {
        Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
        if (authenticate.isAuthenticated()) {
            SecurityContextHolder.getContext().setAuthentication(authenticate);             
            return true;
        }
    }
    catch (AuthenticationException e) {         
    }
    return false;
}

Here AuthenticationManager.authenticate(...) is called. But I would like to know which implementation of AuthenticationManager Spring uses by default, and what its authenticate(...) does in order to authenticate (i.e., make sure that username matches password).

Could you explain this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The AuthenticationManager is really just a container for authentication providers, giving a consistent interface to them all. In most cases, the default AuthenticationManager is more than sufficient.

    When you call 

    .authenticate(new UsernamePasswordAuthenticationToken(username, password))`

    it is passing the UsernamePasswordAuthenticationToken to the default AuthenticationProvider, which will use the userDetailsService to get the user based on username and compare that user’s password with the one in the authentication token.

    In general, the AuthenticationManager passes some sort of AuthenticationToken to the each of it’s AuthenticationProviders and they each inspect it and, if they can use it to authenticate, they return with an indication of “Authenticated”, “Unauthenticated”, or “Could not authenticate” (which indicates the provider did not know how to handle the token, so it passed on processing it)

    This is the mechanism that allows you to plug in other authentication schemes, like authenticating against an LDAP or Active Directory server, or OpenID, and is one of the main extension points within the Spring Security framework.

    • 0