Moin!
I use Spring Security 5 with Kerberos for the SSO authentication in my project.
In the WebSecurityConfig I register two AuthenticationProvider
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(msfUserDetailsService).passwordEncoder(passwordEncoder());
assertThatUnlimitedCryptographyEnabled();
// Two providers
auth.authenticationProvider(kerberosAuthenticationProvider());
auth.authenticationProvider(kerberosServiceAuthenticationProvider());
}
This seems to be the way its done as seen in these two examples:
However I don't see why I need both of them. During authentication the KerberosServiceAuthenticationProvider is the one that is validating Kerberos tickets (see JavaDoc)
However what is the KerberosAuthenticationProvider for? The JavaDoc in this case just says
AuthenticationProvider for kerberos.
As you said: KerberosServiceAuthenticationProvider is used to validate tickets in SSO authentication, whereas KerberosAuthenticationProvider is used for form based authentications, which are usually used as a fallback when SSO is not supported on client side (e.g. browsers on linux systems). This type of authentication is handled by UsernamePasswordAuthenticationFilter which is applied in WebSecurityConfigurerAdapter:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
...
.formLogin()
...
}
...
}
If you do not use form login then you can omit this provider as pointed in comments.