Demonstrate the differences in behavior between a SecurityFilterChain
bean and
extending WebSecurityConfigurerAdapter
.
There are two implementation of the same app, protected by HTTP basic. Users can authenticate with user:password
through a provided UserDetailsService
bean, that is wired into a DaoAuthenticationProvider
and the global
authentication manager. That authentication manager has a DefaultAuthenticationEventPublisher
wired in, and
authentication events are emitted in both implementation.
Users can also authenticate with a custom FooUserAuthenticationProvider
, which allows username foo
with any
password, e.g. foo:bar
or foo:baz
. In the case of WebSecurityConfigurerAdapter
, authentication events are emitted.
In the case of the SecurityFilterChain
bean, no events are emitted, because the local authentication manager has
a NullEventPublisher
.
Both cases are illustrated in a unit test, in AuthenticationEventTests.
Tested with Java 11.
- Run the application with
SPRING_PROFILES_ACTIVE=adapter ./gradlew bootRun
- Run
curl -v localhost:8080 -u "user:password"
, this should print something in the console, e.g.~~~~~~~> SUCCESSFUL AUTH, type: UsernamePasswordAuthenticationToken, name: user
- Run
curl -v localhost:8080 -u "foo:bar"
, this should print something in the console, e.g.~~~~~~~> SUCCESSFUL AUTH, type: UsernamePasswordAuthenticationToken, name: foo
- Run the application with
SPRING_PROFILES_ACTIVE=filterchain ./gradlew bootRun
- Run
curl -v localhost:8080 -u "user:password"
, this should print something in the console, e.g.~~~~~~~> SUCCESSFUL AUTH, type: UsernamePasswordAuthenticationToken, name: user
- Run
curl -v localhost:8080 -u "foo:bar"
, this does not print anything in the console.