Moin!
I use Spring Security 5 with Kerberos for the SSO authentication in my project.
In the WebSecurityConfig
I register two AuthenticationProvider
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(msfUserDetailsService).passwordEncoder(passwordEncoder());
assertThatUnlimitedCryptographyEnabled();
// Two providers
auth.authenticationProvider(kerberosAuthenticationProvider());
auth.authenticationProvider(kerberosServiceAuthenticationProvider());
}
This seems to be the way its done as seen in these two examples:
However I don't see why I need both of them. During authentication the KerberosServiceAuthenticationProvider
is the one that is validating Kerberos tickets (see JavaDoc)
However what is the KerberosAuthenticationProvider
for? The JavaDoc in this case just says
AuthenticationProvider for kerberos.
As you said: KerberosServiceAuthenticationProvider
is used to validate tickets in SSO authentication, whereas KerberosAuthenticationProvider
is used for form based authentications, which are usually used as a fallback when SSO is not supported on client side (e.g. browsers on linux systems). This type of authentication is handled by UsernamePasswordAuthenticationFilter
which is applied in WebSecurityConfigurerAdapter
:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
...
.formLogin()
...
}
...
}
If you do not use form login then you can omit this provider as pointed in comments.