spring security AuthenticationManager vs AuthenticationProvider?

Question

Can someone tell me the difference between an AuthenticationManager and an AuthenticationProvider in Spring Security?

How are they used and how

Answer 1

From spring reference

The AuthenticationManager is just an interface, so the implementation can be anything we choose

The default implementation in Spring Security is called ProviderManager and rather than handling the authentication request itself, it delegates to a list of configured AuthenticationProvider s, each of which is queried in turn to see if it can perform the authentication. Each provider will either throw an exception or return a fully populated Authentication object.

Also if you check the source code for AuthenticationManager, ProviderManager and AuthenticationProvider you can see this clearly.

ProviderManager implements the AuthenticationManager interface and it has list of AuthenticationProviders. So if you want to have custom authentication mechanism, you'll need to implement new AuthenticationProvider.