Support AuthenticationManager Post-Processing

jzheaux · jzheaux · commit 179f7f80887c · 2025-08-12T17:10:26.000-06:00
Oftentimes, a filter has its own authentication manager or it
has something specific that it needs to do regarding authentication
that is independent of a shared authentication manager.

Allowing the authentication manager to be post-processed allows
an application to apply authentication-mechanism-specific
post-processing to the authentication request and result.
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java
@@ -282,7 +282,7 @@ public void configure(B http) throws Exception {
 		if (requestCache != null) {
 			this.defaultSuccessHandler.setRequestCache(requestCache);
 		}
-		this.authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
+		this.authFilter.setAuthenticationManager(postProcess(http.getSharedObject(AuthenticationManager.class)));
 		this.authFilter.setAuthenticationSuccessHandler(this.successHandler);
 		this.authFilter.setAuthenticationFailureHandler(this.failureHandler);
 		if (this.authenticationDetailsSource != null) {
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
@@ -207,7 +207,7 @@ private void registerDefaultLogoutSuccessHandler(B http, RequestMatcher preferre
 
 	@Override
 	public void configure(B http) {
-		AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
+		AuthenticationManager authenticationManager = postProcess(http.getSharedObject(AuthenticationManager.class));
 		BasicAuthenticationFilter basicAuthenticationFilter = new BasicAuthenticationFilter(authenticationManager,
 				this.authenticationEntryPoint);
 		if (this.authenticationDetailsSource != null) {
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
@@ -24,6 +24,7 @@
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -162,8 +163,9 @@ public void configure(H http) throws Exception {
 		WebAuthnRelyingPartyOperations rpOperations = webAuthnRelyingPartyOperations(userEntities, userCredentials);
 		PublicKeyCredentialCreationOptionsRepository creationOptionsRepository = creationOptionsRepository();
 		WebAuthnAuthenticationFilter webAuthnAuthnFilter = new WebAuthnAuthenticationFilter();
-		webAuthnAuthnFilter.setAuthenticationManager(
+		AuthenticationManager authenticationManager = postProcess(
 				new ProviderManager(new WebAuthnAuthenticationProvider(rpOperations, userDetailsService)));
+		webAuthnAuthnFilter.setAuthenticationManager(authenticationManager);
 		WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials,
 				rpOperations);
 		PublicKeyCredentialCreationOptionsFilter creationOptionsFilter = new PublicKeyCredentialCreationOptionsFilter(
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
@@ -183,7 +183,8 @@ public void init(H http) {
 
 	@Override
 	public void configure(H http) {
-		X509AuthenticationFilter filter = getFilter(http.getSharedObject(AuthenticationManager.class), http);
+		AuthenticationManager authenticationManager = postProcess(http.getSharedObject(AuthenticationManager.class));
+		X509AuthenticationFilter filter = getFilter(authenticationManager, http);
 		http.addFilter(filter);
 	}
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@@ -265,7 +265,7 @@ public void init(H http) {
 	public void configure(H http) {
 		AuthenticationManagerResolver resolver = this.authenticationManagerResolver;
 		if (resolver == null) {
-			AuthenticationManager authenticationManager = getAuthenticationManager(http);
+			AuthenticationManager authenticationManager = postProcess(getAuthenticationManager(http));
 			resolver = (request) -> authenticationManager;
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,7 @@ public void configure(B http) throws Exception {`
`282`	`282`	`if (requestCache != null) {`
`283`	`283`	`this.defaultSuccessHandler.setRequestCache(requestCache);`
`284`	`284`	`}`
`285`		`- this.authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));`
	`285`	`+ this.authFilter.setAuthenticationManager(postProcess(http.getSharedObject(AuthenticationManager.class)));`
`286`	`286`	`this.authFilter.setAuthenticationSuccessHandler(this.successHandler);`
`287`	`287`	`this.authFilter.setAuthenticationFailureHandler(this.failureHandler);`
`288`	`288`	`if (this.authenticationDetailsSource != null) {`
Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,8 @@ public void init(H http) {`
`183`	`183`
`184`	`184`	`@Override`
`185`	`185`	`public void configure(H http) {`
`186`		`- X509AuthenticationFilter filter = getFilter(http.getSharedObject(AuthenticationManager.class), http);`
	`186`	`+ AuthenticationManager authenticationManager = postProcess(http.getSharedObject(AuthenticationManager.class));`
	`187`	`+ X509AuthenticationFilter filter = getFilter(authenticationManager, http);`
`187`	`188`	`http.addFilter(filter);`
`188`	`189`	`}`
`189`	`190`
Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ public void init(H http) {`
`265`	`265`	`public void configure(H http) {`
`266`	`266`	`AuthenticationManagerResolver resolver = this.authenticationManagerResolver;`
`267`	`267`	`if (resolver == null) {`
`268`		`- AuthenticationManager authenticationManager = getAuthenticationManager(http);`
	`268`	`+ AuthenticationManager authenticationManager = postProcess(getAuthenticationManager(http));`
`269`	`269`	`resolver = (request) -> authenticationManager;`
`270`	`270`	`}`
`271`	`271`