Replacing default RememberMeAuthenticationProvider added by spring-security

Question

I need to provide my own custom RememberMeAuthenticationProvider provider, which I know how to do. But the default created one is still present in the ProviderManager list of providers.

Can I completely replace the default one with my custom one?

How I add my own

    @Bean
    public RememberMeAuthenticationProvider rememberMeAuthenticationProvider(MessageSource messageSource) {
        var authProvider = new MyRememberMeAuthenticationProvider(REMEMBER_ME_KEY);
        authProvider.setMessageSource(messageSource);
        return authProvider;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http,
                                           MvcRequestMatcher.Builder mvc,
                                           MessageSource messageSource) throws Exception {
        http
                .csrf(csrf -> csrf.csrfTokenRequestHandler(csrfRequestHandler)
                        .ignoringRequestMatchers(LOGIN_URI + "**"))
                .authenticationProvider(authenticationProvider)
                .authenticationProvider(rememberMeAuthenticationProvider(messageSource))
<cut>
        return http.build();
    }

But the RememberMeConfigurer unconditionally adds the default one

@Override
public void configure(H http) {
    RememberMeAuthenticationFilter rememberMeFilter = new RememberMeAuthenticationFilter(
            http.getSharedObject(AuthenticationManager.class), this.rememberMeServices);
    if (this.authenticationSuccessHandler != null) {
        rememberMeFilter.setAuthenticationSuccessHandler(this.authenticationSuccessHandler);
    }
    SecurityContextConfigurer<?> securityContextConfigurer = http.getConfigurer(SecurityContextConfigurer.class);
    if (securityContextConfigurer != null && securityContextConfigurer.isRequireExplicitSave()) {
        SecurityContextRepository securityContextRepository = securityContextConfigurer
            .getSecurityContextRepository();
        rememberMeFilter.setSecurityContextRepository(securityContextRepository);
    }
    rememberMeFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
    rememberMeFilter = postProcess(rememberMeFilter);
    http.addFilter(rememberMeFilter);
}

Which leads to this list of configured providers

0 = {MyAuthenticationProvider@17013} 
1 = {MyRememberMeAuthenticationProvider@16992} 
2 = {AnonymousAuthenticationProvider@26592} 
3 = {RememberMeAuthenticationProvider@18312}

Right now this works, likely due to the order, but I would really want to remove the default one completely.

Is this possible?

Many thanks, Mike

DingHao · Accepted Answer · 2024-12-26 02:00:23Z

1

I think you can use BeanPostProcessor like so

public class MyBeanPostProcessor implements BeanPostProcessor {

 @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        if (bean instanceof ProviderManager providerManager) {
            providerManager.getProviders().removeIf(provider -> provider.getClass() == RememberMeAuthenticationProvider.class);
        }
        return bean;
    }

}

answered Dec 26, 2024 at 2:00

DingHao

1,2481 gold badge4 silver badges12 bronze badges

Sign up to request clarification or add additional context in comments.

Collectives™ on Stack Overflow

Replacing default RememberMeAuthenticationProvider added by spring-security

1 Answer 1

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Related