> For the complete documentation index, see [llms.txt](https://www.pranaypourkar.co.in/the-programmers-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.pranaypourkar.co.in/the-programmers-guide/spring/spring-features/spring-security/authentication/core-components/authenticationmanager.md). # AuthenticationManager ## About In Spring Security, the *AuthenticationManager* is the **core component responsible for processing authentication requests**. It acts as a **central hub** that delegates authentication to one or more `AuthenticationProvider` instances. Whenever a user attempts to log in (via username/password, JWT, OAuth2, etc.), the `AuthenticationManager` verifies the credentials and returns an `Authentication` object if authentication is successful. ## **Responsibilities of AuthenticationManager** 1. **Processes authentication requests** by delegating to `AuthenticationProvider`. 2. **Returns a valid `Authentication` object** upon success or throws an exception on failure. 3. **Supports multiple authentication mechanisms** like form login, basic authentication, JWT, OAuth2, etc. 4. **Integrates with SecurityContextHolder** to store the authenticated user details. 5. **Allows custom authentication providers** for non-standard authentication methods. ## **Authentication Flow in Spring Security** ### **1. User submits credentials** A user tries to log in by submitting a request with their credentials. * Example: A form login request (`POST /login`) with username and password. ### **2. AuthenticationManager is called** Spring Security passes the credentials to `AuthenticationManager`. ```java Authentication authentication = authenticationManager.authenticate( new UsernamePasswordAuthenticationToken(username, password) ); ``` ### **3. Delegates to AuthenticationProvider** * The `AuthenticationManager` doesn't authenticate directly. * It delegates the request to one or more `AuthenticationProvider` implementations. ### **4. AuthenticationProvider validates credentials** * Checks the username and password against the database. * If valid, it returns an authenticated `Authentication` object. * If invalid, it throws an `AuthenticationException`. ### **5. Stores Authentication in SecurityContext** If authentication is successful, the result is stored in the `SecurityContextHolder`: ```java SecurityContextHolder.getContext().setAuthentication(authentication); ``` ### **6. Request is authorized or rejected** * If authentication is successful, the request proceeds to the controller. * If authentication fails, Spring Security returns **401 Unauthorized**. ## **Components Related to AuthenticationManager** #### **1. AuthenticationManager** * Interface responsible for processing authentication requests. * Common implementation: `ProviderManager`. #### **2. AuthenticationProvider** * Handles specific authentication mechanisms (e.g., username/password, JWT). * Custom implementations can be created. #### **3. Authentication Object** * Holds authentication details (e.g., principal, credentials, authorities). * Example: `UsernamePasswordAuthenticationToken`. #### **4. SecurityContextHolder** * Stores the authentication information for the current request. #### **5. UserDetailsService** * Loads user details from the database. * Default implementation: `InMemoryUserDetailsManager`, `JdbcUserDetailsManager`. ## **AuthenticationManager Implemention** ### **1. Default AuthenticationManager (Spring Boot 3)** Spring Boot automatically configures an `AuthenticationManager` when using `HttpSecurity`. {% hint style="danger" %} In Spring Boot 3, `WebSecurityConfigurerAdapter` is removed. Use `SecurityFilterChain` instead. {% endhint %} ```java @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) .formLogin(); return http.build(); } } ``` {% hint style="info" %} No need to manually configure AuthenticationManager as Spring Boot does it for us. {% endhint %} ### **2. Manually Defining AuthenticationManager** If we need custom authentication logic, define `AuthenticationManager` explicitly. ```java @Configuration public class SecurityConfig { @Bean public AuthenticationManager authenticationManager(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder) { DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setUserDetailsService(userDetailsService); provider.setPasswordEncoder(passwordEncoder); return new ProviderManager(List.of(provider)); } } ``` * Here, `ProviderManager` delegates authentication to `DaoAuthenticationProvider`. * Uses `UserDetailsService` to fetch user details. * Uses `PasswordEncoder` for secure password storage. ### **3. Custom Authentication Provider** For non-standard authentication (e.g., API keys, LDAP, JWT), create a custom `AuthenticationProvider`. ```java @Component public class CustomAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = authentication.getName(); String password = authentication.getCredentials().toString(); if ("admin".equals(username) && "password".equals(password)) { return new UsernamePasswordAuthenticationToken(username, password, List.of(new SimpleGrantedAuthority("ROLE_ADMIN"))); } else { throw new BadCredentialsException("Invalid credentials"); } } @Override public boolean supports(Class authentication) { return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication); } } ``` * This provider authenticates only if username is "admin" and password is "password". * If credentials are incorrect, it throws `BadCredentialsException`. ## **AuthenticationManager in JWT Authentication** Spring Security's `AuthenticationManager` is crucial in JWT authentication flows. ### **1. JWT Authentication Flow** * The user logs in and sends username/password. * The credentials are validated using `AuthenticationManager`. * If successful, a JWT token is generated and returned. * On future requests, the token is validated instead of username/password. ### **2. JWT AuthenticationManager Implementation** ```java @Component public class JwtAuthenticationFilter extends OncePerRequestFilter { @Autowired private JwtUtil jwtUtil; @Autowired private AuthenticationManager authenticationManager; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String token = jwtUtil.extractToken(request); if (token != null && jwtUtil.validateToken(token)) { Authentication authentication = authenticationManager.authenticate(new JwtAuthenticationToken(token)); SecurityContextHolder.getContext().setAuthentication(authentication); } filterChain.doFilter(request, response); } } ``` * Extracts JWT token from the request. * Uses `AuthenticationManager` to authenticate based on the token. * Stores authentication in `SecurityContextHolder`. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.pranaypourkar.co.in/the-programmers-guide/spring/spring-features/spring-security/authentication/core-components/authenticationmanager.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.