spring security AuthenticationManager vs AuthenticationProvider?

Can someone tell me the difference between an AuthenticationManager and an AuthenticationProvider in Spring Security?

How are they used and how are they called. It is my understanding that a SecurityFilter will call the AuthenticationManager to authenticate an Authentication object? But then where does the AuthenticationPro开发者_如何转开发vider come into play?

Thanks!

I think the AuthenticationManager delegates the fetching of persistent user information to one or more AuthenticationProviders. The authentication-providers (DaoAuthenticationProvider, JaasAuthenticationProvider, LdapAuthenticationProvider, OpenIDAuthenticationProvider for example) specialize in accessing specific user-info repositories. Something else is mentioned in this part of the reference manual. It says:

You may want to register additional AuthenticationProvider beans with the ProviderManager and you can do this using the element with the ref attribute, where the value of the attribute is the name of the provider bean you want to add.

In other words, you can specify multiple AuthenticationProviders, for example one that looks for users in an LDAP database and another that looks in an SQL database.

Both AuthenticationManager and AuthenticationProvider are interfaces. They have different functionalities in the Spring Security Flow.

Ref-
Spring Boot + Spring Security Architecture

From spring reference

The AuthenticationManager is just an interface, so the implementation can be anything we choose

The default implementation in Spring Security is called ProviderManager and rather than handling the authentication request itself, it delegates to a list of configured AuthenticationProvider s, each of which is queried in turn to see if it can perform the authentication. Each provider will either throw an exception or return a fully populated Authentication object.

Also if you check the source code for AuthenticationManager, ProviderManager and AuthenticationProvider you can see this clearly.

ProviderManager implements the AuthenticationManager interface and it has list of AuthenticationProviders. So if you want to have custom authentication mechanism, you'll need to implement new AuthenticationProvider.