Difference between registerGlobal(), configure(), configureGlobal(),configureGlobalSecurity in Spring security

Question

I have below three code snippets all doing the same thing: creating in-memory authentication. So how it impacts defining it in different method names?

1. registerGlobal
2. configure
3. configureGlobal
4. configureGlobalSecurity

First one:

public void registerGlobal(AuthenticationManagerBuilder auth) throws Exception {     auth       .inMemoryAuthentication()         .withUser("user").password("password").roles("USER").and()         .withUser("admin").password("password").roles("USER","ADMIN");     } } 

Second one:

@Override protected void configure(AuthenticationManagerBuilder auth) throws Exception {     auth          .inMemoryAuthentication()               .withUser("user").password("password").roles("USER");  } 

Third one:

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {     auth          .inMemoryAuthentication()               .withUser("user").password("password").roles("USER"); } 

Fourth:

@Autowired public void configureGlobalSecurity(AuthenticationManagerBuilder auth)     throws Exception {     auth.inMemoryAuthentication().withUser("user").password("user").roles("USER"); } 

UPDATE 1 : One more thing I would like to add:

configure() method is present in WebSecurityConfigurerAdapter class while others are not present.

UPDATE 2:

I renamed the method in my sample project to below and to my surprise it is working and authenticating the users.

you name it anything and it works

@Autowired public void anyMethodName(AuthenticationManagerBuilder auth) throws Exception {             auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");       } 

Answer 1

In fact, you only have 2 different options.

Option 1: using annotations only (it cover your example 1, 3 and 4 - note that you didn't include relevant annotations in your samples)

registerGlobal, configureGlobal, configureGlobalSecurity are exact same way of doing things. You can name the method according your tastes. The only constraints are :

• annotate the method with @Autowired
• the method MUST be in a class annotated with one of the following : @EnableWebSecurity, @EnableWebMvcSecurity, @EnableGlobalMethodSecurity, or @EnableGlobalAuthentication
• (and of course the method have an argument of type AuthenticationManagerBuilder)

(as you can see the name of the method is not important, that is why you found so many different method name when googling for code samples)

Here is an example of how it looks like :

@EnableWebSecurity public class MyConfiguration {      @Autowired     public void whatever(AuthenticationManagerBuilder auth) throws Exception {         auth.inMemoryAuthentication()           .withUser("user").password("password").roles("USER").and()           .withUser("admin").password("password").roles("USER", "ADMIN");     }      ...  } 

Option 2: using annotations + method overriding (it cover your example 2)

Overriding configure is a convenient approach in a subclass of WebSecurityConfigurerAdapter (or any @Configuration class implementing WebSecurityConfigurer) but it have the same effect as the other option.

How to choose the correct approach?

It's only a question of taste/programming-style because both approachs have the same effect.

The first option make sense when you want/need to keep your configuration in a single class, but your @Configuration class already extends some other class (and you don't want to implement the whole WebSecurityConfigurer interface).

---

Let's explain my last point in more details. Spring provides many Adapter classes that you can extends to speed up the development of your Spring configuration.

As an example, let's take a commonly used Adapter : WebMvcConfigurerAdapter. You will start with a very simple configuration like this :

@EnableWebMvc @Configuration @ComponentScan({ "com.company.mypackage" }) public class SpringWebConfig extends WebMvcConfigurerAdapter {  } 

What's important here : your class already extends an Adapter class, so you can't extends another one

Now, you need to add security configuration. You have the choice between including it in your existing SpringWebConfig configuration class or create a new security specific configuration class. Here is a sample of both approaches:

1) Single @Configuration class approach

What's important to note here : SpringWebConfig extends WebMvcConfigurerAdapter + @EnableWebSecurity

@EnableWebMvc @Configuration @ComponentScan({ "com.company.mypackage" }) @EnableWebSecurity public class SpringWebConfig extends WebMvcConfigurerAdapter {      @Autowired     public void whatever(AuthenticationManagerBuilder auth) throws Exception {         auth.inMemoryAuthentication()           .withUser("user").password("password").roles("USER").and()           .withUser("admin").password("password").roles("USER", "ADMIN");     }      } 

2) Specific security @Configuration class

What's important to note here : MySecurityConfig extends WebSecurityConfigurerAdapter

Keep your SpringWebConfig as it was and create a new @Configuration class :

@Configuration @EnableWebSecurity public class MySecurityConfig extends WebSecurityConfigurerAdapter {     @Overide     public void configure(AuthenticationManagerBuilder auth) throws Exception {         auth.inMemoryAuthentication()           .withUser("user").password("password").roles("USER").and()           .withUser("admin").password("password").roles("USER", "ADMIN");     } }