Spring Security Fundamentals - Lesson 4 - Multiple authentication providers

Your drawing are the best, lesson 4 so far, expecting to learn a lot by the end of the series, thanks for your great effot to bring this content to all of us who are getting started in web development

emersontavera

As you said, it is realy helpful for us to understand what is going on on the code when you draw a schema. Thanks.

xxmehmetali

Thanks a lot for the video. It helped me to move to a new way of configuring spring security. I was stuck on how to provide an authentication manager in a new way.

ashishsengar

Hey, I was just reading the source code of and found a way to access the default AuthenticationManager without extending the WebSecurityConfigurerAdapter.
You can inject the AuthenticationConfiguration bean and then call the .getAuthenticationManager() method. Didn't test in in a custom filter yet, but in a controller, it works. It retrieves me the default instance of the ProviderManager.

michaelj

Thanks you so much Laur Spilca, This playlist is amazing for Spring Security. 🥰

buddha

The best Spring Security tutorial for beginners. thank you so much

anjaliwarrier

Well first of all it is just a fabulous playlist and this tutorial in particular, thank you so much. I've tried to implement exactly what's shown here: kinda api-key (custom) + oauth2-resource-server (default) authentications, and both reading official documentation and debugging the framework didn't really help. Spring Security Docs describes all the components involved quite abstractly, but it's not enough at all to understand how to implement this kind of stuff.
Although I would implement this chain in a more 'Springy' way, which is making them all beans (probably using @Component) and inject to each other and injecting the key into the ApiKeyProvider via @Value directly. From the general perspective it seems a bit cleaner then creating new Manager and Provider with every request and pass the Key through the chain of constructors. But in this case Spring Security somehow registers our ApiKeyProvider (as it becomes a Bean) as a provider for the parent of ProviderManager used by Crazy things, looks like it doesn't break anything, just ignored due to token type mismatch, but still a bit annoying.
Is this a viable approach or these beans will backfire at some point?

for_whom_the_bell_tolls

Great work as always, would be cool if you mention ProviderMaanager and AbstractAuthenticationProcessingFilter, that last one is pretty nice as it's the "opposite" of OncePerRequestFilter

santiagozapata

I really appreciate this tutorial video. Many thanks 🙂

jbparkthree

You are rocking brother. Thanks for the tutorials.

arunkumarka

thanks for your effort im looking forward to new episodes 😍😍

nimacode

One thing missing explanation is the confusing chain method calls for HttpSecurity.

arandaid

Hi
Great work. Thanks for this playlist.

mihai.vlasceanu

Thank you for preparing these great videos

mustafakucuk

Hello Laurentiu, can you tell me why don't you return from the function after line 29 on 59:04? Even if the chain continues to the next filter, won't the doFilterInternal function still be executed till the end? Thanks.

jolskey

28:00 Maybe filter is called again if request is forwarded? That would mean that if I authenticate, perform an action and forward to a JSP, then there will be no need to authenticate again with the JSP page URL. That's my guess!

TheodoreRavindranath

Hey Laurentiu.
First of all, many thanks for updating the playlist regarding Spring Security. It's very useful.

I wonder if it is possible to have multiple Custom Authentication Providers for the single Custom Authentication Manager?
If is it correct I would like to clarify one point according to their proper responsibilities of them.
Is it true for proper authentication enough only one successful executing authenticate method into one of the custom providers or authentication should be passed through the multiple custom providers' chain?

intBRiNGER

Halo Laurenti, In lesson 3 you created the Filter 'CustomAuthenticationFilter' as a component and then you inject it in the SecurityConfig class, while in this lesson you created Similar filter 'APIKeyFilter' which serves same role as lesson 3 but here you configured a new instance of it in the SecurityConfig class. why is this difference?

ridasafwan

When you add a custom security Filter, how do you know where to place it in the SecurityFilterChain?
In this lesson we use: `addFilterBefore(new ApiKeyFilter(key),
But the previous lesson used: `addFilterAt(customAuthenticationFilter,
Where can we learn about these existing Filters and how to place our own Filters in relation to them?

jaco

Hi, thanks again for the video! 
I have two questions:

- Does multiple authentication mean that the user can either authenticate (in this case) with http basic OR apikey?

-Last week in order to add a filter you replaced it with and this time you added one before BasicAuthenticationFilter. How can I always know where/when to add them?

h.