Jan Zyka Jan Zyka - 4 months ago 67
Java Question

WebSecurityConfigurerAdapter with custom authentication filter - dependency issue

I have spring security configuration with SPNEGO which is working "with a hack". It looks as follows:

public class SpnegoConfig extends WebSecurityConfigurerAdapter {

protected void configure(HttpSecurity http) throws Exception {
BasicAuthenticationFilter.class); // 1

@Autowired // 3
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {

public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
AuthenticationManager authenticationManager) { // 2
SpnegoAuthenticationProcessingFilter filter =
new SpnegoAuthenticationProcessingFilter();
return filter;

What is happening:

  • I need to add spnegoAuthenticationProcessingFilter (1)

  • This filter has dependency on authenticationManager (2)

  • I need to add authentication providers (3)

Point being in this class which is
I'm overriding 2 methods:

  1. configure(HttpSecurity http)
    - this has dependency on the already built
    through custom filter

  2. configure(AuthenticationManagerBuilder auth)
    - this clearly relates on
    no being built yet - we're building it

If I don't have the
on method (3) the
is built too early and my adding of
s has no effect. The authentication fails with exception there is no suitable

With the
in place it works but if feels wrong. I'm not even sure why it starts working then.

Please advice on the right approach.

Edit: It actually works without the @Autowired. But the point is in the accepted answer. If you ever depend on
make sure it's either exposed or referenced via the

dur dur

You use the wrong AuthenticationManager.

If you want to use the AuthenticationManager from SpnegoConfig with dependency injection, you have to expose it, see JavaDoc:

Override this method to expose the AuthenticationManager from configure(AuthenticationManagerBuilder) to be exposed as a Bean. For example:

@Bean(name name="myAuthenticationManager")
public AuthenticationManager authenticationManagerBean() throws Exception {
   return super.authenticationManagerBean();

If you want to configure global AuthenticationManager, you have to autowire the AuthenticationMangerBuilder, see Spring Security 3.2.0.RC2 Released

For example, if you want to configure global authentication (i.e. you only have a single AuthenticationManager) you should autowire the AuthenticationMangerBuilder:

public void configureGlobal(AuthenticationManagerBuilder auth) {
   // ... configure it ...