Simplify AuthenticationManagerConfiguration

Simplify `AuthenticationManagerConfiguration` following the recent Spring Security auto-configuration updates. See gh-7958
2017-09-27 15:33:26 -07:00 · 2017-09-27 15:33:26 -07:00 · c592e3b67d
parent 93f6168fd0
commit c592e3b67d
3 changed files with 81 additions and 297 deletions
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
@ -16,7 +16,6 @@
 package org.springframework.boot.autoconfigure.security;
 import java.lang.reflect.Field;
 import java.util.UUID;
 import org.apache.commons.logging.Log;
@ -31,30 +30,21 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationListener;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
-import org.springframework.security.config.annotation.SecurityConfigurer;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
 import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.util.ReflectionUtils;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 /**
- * Configuration for a Spring Security in-memory {@link AuthenticationManager}. Can be
+ * Configuration for a Spring Security in-memory {@link AuthenticationManager}. Adds an
- * disabled by providing a bean of type {@link AuthenticationManager},
+ * {@link InMemoryUserDetailsManager} with a default user and generated password.
- * {@link AuthenticationProvider} or {@link UserDetailsService}. The value provided by
+ * This can be disabled by providing a bean of type {@link AuthenticationManager},
- * this configuration will become the "global" authentication manager (from Spring
+ * {@link AuthenticationProvider} or {@link UserDetailsService}.
 * Security), or the parent of the global instance. Thus it acts as a fallback when no
 * others are provided, is used by method security if enabled, and as a parent
 * authentication manager for "local" authentication managers in individual filter chains.
 *
 * @author Dave Syer
 * @author Rob Winch
@ -62,8 +52,6 @@ import org.springframework.util.ReflectionUtils;
 */
@Configuration
@ConditionalOnBean(ObjectPostProcessor.class)
@ConditionalOnMissingBean({ AuthenticationManager.class, AuthenticationProvider.class,
 		UserDetailsService.class })
@Order(0)
 public class AuthenticationManagerConfiguration {
@ -71,15 +59,13 @@ public class AuthenticationManagerConfiguration {
 			.getLog(AuthenticationManagerConfiguration.class);
 	@Bean
-	@Primary
+	@ConditionalOnMissingBean({ AuthenticationManager.class, AuthenticationProvider.class,
-	public AuthenticationManager authenticationManager(
+			UserDetailsService.class })
-			AuthenticationConfiguration configuration) throws Exception {
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return configuration.getAuthenticationManager();
+		String password = UUID.randomUUID().toString();
-	}
+		logger.info(
-
+				String.format("%n%nUsing default security password: %s%n", password));
-	@Bean
+		return new InMemoryUserDetailsManager(User.withUsername("user").password(password).roles().build());
 	public static SpringBootAuthenticationConfigurerAdapter springBootAuthenticationConfigurerAdapter() {
 		return new SpringBootAuthenticationConfigurerAdapter();
 	}
 	@Bean
@ -87,91 +73,6 @@ public class AuthenticationManagerConfiguration {
 		return new AuthenticationManagerConfigurationListener();
 	}
 	/**
 	 * {@link GlobalAuthenticationConfigurerAdapter} to apply
 	 * {@link DefaultInMemoryUserDetailsManagerConfigurer}. We must apply
 	 * {@link DefaultInMemoryUserDetailsManagerConfigurer} in the init phase of the last
 	 * {@link GlobalAuthenticationConfigurerAdapter}. The reason is that the typical flow
 	 * is something like:
 	 *
 	 * <ul>
 	 * <li>A
 	 * {@link GlobalAuthenticationConfigurerAdapter#init(AuthenticationManagerBuilder)}
 	 * exists that adds a {@link SecurityConfigurer} to the
 	 * {@link AuthenticationManagerBuilder}.</li>
 	 * <li>{@link AuthenticationManagerConfiguration} adds
 	 * {@link SpringBootAuthenticationConfigurerAdapter} so it is after the
 	 * {@link SecurityConfigurer} in the first step.</li>
 	 * <li>We then can default an {@link AuthenticationProvider} if necessary. Note we can
 	 * only invoke the
 	 * {@link AuthenticationManagerBuilder#authenticationProvider(AuthenticationProvider)}
 	 * method since all other methods add a {@link SecurityConfigurer} which is not
 	 * allowed in the configure stage. It is not allowed because we guarantee all init
 	 * methods are invoked before configure, which cannot be guaranteed at this point.
 	 * </li>
 	 * </ul>
 	 */
 	@Order(Ordered.LOWEST_PRECEDENCE - 100)
 	private static class SpringBootAuthenticationConfigurerAdapter
 			extends GlobalAuthenticationConfigurerAdapter {
 		@Override
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
 			auth.apply(new DefaultInMemoryUserDetailsManagerConfigurer());
 		}
 	}
 	/**
 	 * {@link InMemoryUserDetailsManagerConfigurer} to add user details from
 	 * {@link SecurityProperties}. This is necessary to delay adding the default user.
 	 *
 	 * <ul>
 	 * <li>A {@link GlobalAuthenticationConfigurerAdapter} will initialize the
 	 * {@link AuthenticationManagerBuilder} with a Configurer which will be after any
 	 * {@link GlobalAuthenticationConfigurerAdapter}.</li>
 	 * <li>{@link SpringBootAuthenticationConfigurerAdapter} will be invoked after all
 	 * {@link GlobalAuthenticationConfigurerAdapter}, but before the Configurers that were
 	 * added by other {@link GlobalAuthenticationConfigurerAdapter} instances.</li>
 	 * <li>A {@link SpringBootAuthenticationConfigurerAdapter} will add
 	 * {@link DefaultInMemoryUserDetailsManagerConfigurer} after all Configurer instances.
 	 * </li>
 	 * <li>All init methods will be invoked.</li>
 	 * <li>All configure methods will be invoked which is where the
 	 * {@link AuthenticationProvider} instances are setup.</li>
 	 * <li>If no AuthenticationProviders were provided,
 	 * {@link DefaultInMemoryUserDetailsManagerConfigurer} will default the value.</li>
 	 * </ul>
 	 */
 	private static class DefaultInMemoryUserDetailsManagerConfigurer
 			extends InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> {
 		@Override
 		public void configure(AuthenticationManagerBuilder auth) throws Exception {
 			if (auth.isConfigured()) {
 				return;
 			}
 			String password = UUID.randomUUID().toString();
 			logger.info(
 					String.format("%n%nUsing default security password: %s%n", password));
 			withUser("user").password(password).roles();
 			setField(auth, "defaultUserDetailsService", getUserDetailsService());
 			super.configure(auth);
 		}
 		private void setField(Object target, String name, Object value) {
 			try {
 				Field field = ReflectionUtils.findField(target.getClass(), name);
 				ReflectionUtils.makeAccessible(field);
 				ReflectionUtils.setField(field, target, value);
 			}
 			catch (Exception ex) {
 				logger.info("Could not set " + name);
 			}
 		}
 	}
 	/**
 	 * {@link ApplicationListener} to autowire the {@link AuthenticationEventPublisher}
 	 * into the {@link AuthenticationManager}.
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java
@ -28,21 +28,17 @@ import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 /**
 * {@link EnableAutoConfiguration Auto-configuration} for Spring Security. Provides an
- * {@link AuthenticationManager} based on configuration bound to a
+ * {@link InMemoryUserDetailsManager} with one user (named "user") whose password is
- * {@link SecurityProperties} bean. There is one user (named "user") whose password is
+ * random and printed on the console at INFO level during startup. In a webapp, this
- * random and printed on the console at INFO level during startup. In a webapp this
+ * configuration also secures all web endpoints (including static resources).
 * configuration also secures all web endpoints (except some well-known static resource
 * locations) with HTTP basic security. To replace all the default behaviours in a webapp
 * provide a {@code @Configuration} with {@code @EnableWebSecurity}. To just add your own
 * layer of application security in front of the defaults, add a {@code @Configuration} of
 * type {@link WebSecurityConfigurerAdapter}.
 *
 * @author Dave Syer
 * @author Andy Wilkinson
 * @author Madhura Bhave
 */
@Configuration
@ConditionalOnClass({ AuthenticationManager.class,
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
@ -16,6 +16,7 @@
 package org.springframework.boot.autoconfigure.security;
 import java.util.Collections;
 import java.util.EnumSet;
 import javax.servlet.DispatcherType;
@ -38,29 +39,27 @@ import org.springframework.context.ApplicationListener;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.orm.jpa.JpaTransactionManager;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.TestingAuthenticationProvider;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
+import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.fail;
 /**
 * Tests for {@link SecurityAutoConfiguration}.
@ -68,6 +67,7 @@ import static org.junit.Assert.fail;
 * @author Dave Syer
 * @author Rob Winch
 * @author Andy Wilkinson
 * @author Madhura Bhave
 */
 public class SecurityAutoConfigurationTests {
@ -146,121 +146,79 @@ public class SecurityAutoConfigurationTests {
 				DelegatingFilterProxyRegistrationBean.class).getOrder()).isEqualTo(12345);
 	}
 	@Test
 	public void testDisableIgnoredStaticApplicationPaths() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(SecurityAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
 		TestPropertyValues.of("security.ignored:none").applyTo(this.context);
 		this.context.refresh();
 		// Just the application endpoints now
 		assertThat(this.context.getBean(FilterChainProxy.class).getFilterChains())
 				.hasSize(1);
 	}
 	@Test
 	public void testAuthenticationManagerCreated() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(SecurityAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
 		this.context.refresh();
 		assertThat(this.context.getBean(AuthenticationManager.class)).isNotNull();
 	}
 	@Test
 	public void testEventPublisherInjected() throws Exception {
-		testAuthenticationManagerCreated();
+		this.context = new AnnotationConfigWebApplicationContext();
-		pingAuthenticationListener();
+		this.context.setServletContext(new MockServletContext());
-	}
+		this.context.register(TestAuthenticationManagerConfiguration.class, SecurityAutoConfiguration.class,
-
+				PropertyPlaceholderAutoConfiguration.class);
-	private void pingAuthenticationListener() {
+		this.context.refresh();
 		AuthenticationListener listener = new AuthenticationListener();
 		this.context.addApplicationListener(listener);
 		AuthenticationManager manager = this.context.getBean(AuthenticationManager.class);
-		try {
+		manager.authenticate(new TestingAuthenticationToken("foo", "wrong"));
 			manager.authenticate(new UsernamePasswordAuthenticationToken("foo", "wrong"));
 			fail("Expected BadCredentialsException");
 		}
 		catch (BadCredentialsException e) {
 			// expected
 		}
 		assertThat(listener.event)
-				.isInstanceOf(AuthenticationFailureBadCredentialsEvent.class);
+				.isInstanceOf(AuthenticationSuccessEvent.class);
 	}
 	@Test
-	public void testOverrideAuthenticationManager() throws Exception {
+	public void testDefaultUsernamePassword() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
-		this.context.register(TestAuthenticationConfiguration.class,
+		this.context.register(SecurityAutoConfiguration.class);
 		this.context.refresh();
 		UserDetailsService manager = this.context.getBean(UserDetailsService.class);
 		assertThat(this.outputCapture.toString()).contains("Using default security password:");
 		assertThat(manager.loadUserByUsername("user")).isNotNull();
 	}
 	@Test
 	public void defaultUserNotCreatedIfAuthenticationManagerBeanPresent() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(TestAuthenticationManagerConfiguration.class,
 				SecurityAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
 		this.context.refresh();
-		assertThat(this.context.getBean(AuthenticationManager.class))
+		AuthenticationManager manager = this.context.getBean(AuthenticationManager.class);
 		assertThat(manager)
 				.isEqualTo(this.context.getBean(
-						TestAuthenticationConfiguration.class).authenticationManager);
+						TestAuthenticationManagerConfiguration.class).authenticationManager);
 		assertThat(this.outputCapture.toString())
 				.doesNotContain("Using default security password: ");
 		TestingAuthenticationToken token = new TestingAuthenticationToken(
 				"foo", "bar");
 		assertThat(manager.authenticate(token)).isNotNull();
 	}
 	@Test
-	public void testDefaultAuthenticationManagerMakesUserDetailsAvailable()
+	public void defaultUserNotCreatedIfUserDetailsServiceBeanPresent() throws Exception {
 			throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
-		this.context.register(UserDetailsSecurityCustomizer.class,
+		this.context.register(TestUserDetailsServiceConfiguration.class,
 				SecurityAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
 		this.context.refresh();
-		assertThat(this.context.getBean(UserDetailsSecurityCustomizer.class)
+		UserDetailsService userDetailsService = this.context.getBean(UserDetailsService.class);
-				.getUserDetails().loadUserByUsername("user")).isNotNull();
+		assertThat(this.outputCapture.toString())
 				.doesNotContain("Using default security password: ");
 		assertThat(userDetailsService.loadUserByUsername("foo")).isNotNull();
 	}
 	@Test
-	public void testOverrideAuthenticationManagerAndInjectIntoSecurityFilter()
+	public void defaultUserNotCreatedIfAuthenticationProviderBeanPresent() throws Exception {
 			throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
-		this.context.register(TestAuthenticationConfiguration.class,
+		this.context.register(TestAuthenticationProviderConfiguration.class,
-				SecurityCustomizer.class, SecurityAutoConfiguration.class,
+				SecurityAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
 		this.context.refresh();
-		assertThat(this.context.getBean(AuthenticationManager.class))
+		AuthenticationProvider provider = this.context.getBean(AuthenticationProvider.class);
-				.isEqualTo(this.context.getBean(
+		assertThat(this.outputCapture.toString())
-						TestAuthenticationConfiguration.class).authenticationManager);
+				.doesNotContain("Using default security password: ");
-	}
+		TestingAuthenticationToken token = new TestingAuthenticationToken(
-
+				"foo", "bar");
-	@Test
+		assertThat(provider.authenticate(token)).isNotNull();
 	public void testOverrideAuthenticationManagerWithBuilderAndInjectIntoSecurityFilter()
 			throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(AuthenticationManagerCustomizer.class,
 				SecurityCustomizer.class, SecurityAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
 		this.context.refresh();
 		UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken(
 				"foo", "bar",
 				AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
 		assertThat(this.context.getBean(AuthenticationManager.class).authenticate(user))
 				.isNotNull();
 		pingAuthenticationListener();
 	}
 	@Test
 	public void testOverrideAuthenticationManagerWithBuilderAndInjectBuilderIntoSecurityFilter()
 			throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(AuthenticationManagerCustomizer.class,
 				WorkaroundSecurityCustomizer.class, SecurityAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
 		this.context.refresh();
 		UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken(
 				"foo", "bar",
 				AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
 		assertThat(this.context.getBean(AuthenticationManager.class).authenticate(user))
 				.isNotNull();
 	}
 	@Test
@ -279,41 +237,11 @@ public class SecurityAutoConfigurationTests {
 		assertThat(this.context.getBean(JpaTransactionManager.class)).isNotNull();
 	}
 	@Test
 	public void testDefaultUsernamePassword() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(SecurityAutoConfiguration.class);
 		this.context.refresh();
 		String password = this.outputCapture.toString()
 				.split("Using default security password: ")[1].split("\n")[0].trim();
 		AuthenticationManager manager = this.context.getBean(AuthenticationManager.class);
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"user", password);
 		assertThat(manager.authenticate(token)).isNotNull();
 	}
 	@Test
 	public void testCustomAuthenticationDoesNotCreateDefaultUser() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(AuthenticationManagerCustomizer.class,
 				SecurityAutoConfiguration.class);
 		this.context.refresh();
 		AuthenticationManager manager = this.context.getBean(AuthenticationManager.class);
 		assertThat(this.outputCapture.toString())
 				.doesNotContain("Using default security password: ");
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"foo", "bar");
 		assertThat(manager.authenticate(token)).isNotNull();
 	}
 	@Test
 	public void testSecurityEvaluationContextExtensionSupport() {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.setServletContext(new MockServletContext());
-		this.context.register(AuthenticationManagerCustomizer.class,
+		this.context.register(SecurityAutoConfiguration.class);
 				SecurityAutoConfiguration.class);
 		this.context.refresh();
 		assertThat(this.context.getBean(SecurityEvaluationContextExtension.class))
 				.isNotNull();
@ -376,76 +304,35 @@ public class SecurityAutoConfigurationTests {
 	}
 	@Configuration
-	protected static class TestAuthenticationConfiguration {
+	protected static class TestAuthenticationManagerConfiguration {
 		private AuthenticationManager authenticationManager;
 		@Bean
 		public AuthenticationManager myAuthenticationManager() {
-			this.authenticationManager = (
+			AuthenticationProvider authenticationProvider = new TestingAuthenticationProvider();
-					authentication) -> new TestingAuthenticationToken("foo", "bar");
+			this.authenticationManager = new ProviderManager(Collections.singletonList(authenticationProvider));
 			return this.authenticationManager;
 		}
 	}
 	@Configuration
-	protected static class SecurityCustomizer extends WebSecurityConfigurerAdapter {
+	protected static class TestUserDetailsServiceConfiguration {
-		final AuthenticationManager authenticationManager;
+		@Bean
-
+		public InMemoryUserDetailsManager myUserDetailsService() {
-		protected SecurityCustomizer(AuthenticationManager authenticationManager) {
+			return new InMemoryUserDetailsManager(User.withUsername("foo").password("bar").roles("USER").build());
 			this.authenticationManager = authenticationManager;
 		}
 	}
 	@Configuration
-	protected static class WorkaroundSecurityCustomizer
+	protected static class TestAuthenticationProviderConfiguration {
 			extends WebSecurityConfigurerAdapter {
-		private final AuthenticationManagerBuilder builder;
+		@Bean
-
+		public AuthenticationProvider myauthenticationProvider() {
-		@SuppressWarnings("unused")
+			return new TestingAuthenticationProvider();
 		private AuthenticationManager authenticationManager;
 		protected WorkaroundSecurityCustomizer(AuthenticationManagerBuilder builder) {
 			this.builder = builder;
 		}
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			this.authenticationManager = (authentication) -> this.builder.getOrBuild()
 					.authenticate(authentication);
 		}
 	}
 	@Configuration
 	@Order(-1)
 	protected static class AuthenticationManagerCustomizer
 			extends GlobalAuthenticationConfigurerAdapter {
 		@Override
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
 			auth.inMemoryAuthentication().withUser("foo").password("bar").roles("USER");
 		}
 	}
 	@Configuration
 	protected static class UserDetailsSecurityCustomizer
 			extends WebSecurityConfigurerAdapter {
 		private UserDetailsService userDetails;
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			this.userDetails = http.getSharedObject(UserDetailsService.class);
 		}
 		public UserDetailsService getUserDetails() {
 			return this.userDetails;
 		}
 	}