Hands-On Spring Security 5 for Reactive Applications

Multiple AuthenticationProvider

Spring Security allows you to declare multiple AuthenticationProvider in your application. They are executed according to the order in which they are declared in the configuration.

The jetty-in-memory-basic-custom-authentication project is modified further, and we have used the newly created CustomAuthenticationProvider as an AuthenticationProvider (Order 1) and the existing inMemoryAuthentication as our second AuthenticationProvider (Order 2):

@ComponentScan(basePackageClasses = CustomAuthenticationProvider.class)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

CustomAuthenticationProvider customAuthenticationProvider;

protected void configure(HttpSecurity http) throws Exception {
.authenticated(); // Use Basic authentication
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// Custom authentication provider - Order 1
// Built-in authentication provider - Order 2
//{noop} makes sure that the password encoder doesn't do anything
.roles("ADMIN") // Role of the user

Whenever the authenticate method executes without error, the controls return and thereafter configured AuthenticationProvider's doesn't get executed.