KerberosAuthenticationProvider vs. KerberosServiceAuthenticationProvider

Question

Moin!

I use Spring Security 5 with Kerberos for the SSO authentication in my project.

In the WebSecurityConfig I register two AuthenticationProvider

@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(msfUserDetailsService).passwordEncoder(passwordEncoder());
        assertThatUnlimitedCryptographyEnabled();

        // Two providers
        auth.authenticationProvider(kerberosAuthenticationProvider());
        auth.authenticationProvider(kerberosServiceAuthenticationProvider());
}

This seems to be the way its done as seen in these two examples:

• https://docs.spring.io/spring-security-kerberos/docs/current/reference/html/ssk-spnego.html
• https://www.ebayinc.com/stories/blogs/tech/customizing-spring-security-with-multiple-authentications/

However I don't see why I need both of them. During authentication the KerberosServiceAuthenticationProvider is the one that is validating Kerberos tickets (see JavaDoc)

However what is the KerberosAuthenticationProvider for? The JavaDoc in this case just says

AuthenticationProvider for kerberos.

Answer 1

As you said: KerberosServiceAuthenticationProvider is used to validate tickets in SSO authentication, whereas KerberosAuthenticationProvider is used for form based authentications, which are usually used as a fallback when SSO is not supported on client side (e.g. browsers on linux systems). This type of authentication is handled by UsernamePasswordAuthenticationFilter which is applied in WebSecurityConfigurerAdapter:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity httpSecurity) throws Exception {
     httpSecurity
      ...
      .formLogin()
  ...
  }
  ...
}

If you do not use form login then you can omit this provider as pointed in comments.