Lately, I was studying Spring security's Authentication provider.
In the authenticate() method the docs say, "May return null if the AuthenticationProvider is unable to support authentication of the passed Authentication object. In such a case, the next AuthenticationProvider that supports the presented Authentication class will be tried."
We have another method supports() that indicates that if this provider supports the type of authentication or not.
As far as I know "AuthenticationManager" first calls supports() to check if the provider supports this type or not. Then the authenticate() method is called. So, from my understanding authenticate is only called when the provider supports it.
So, My question is " If the provider supports this type of auth, then why should it return null from authenticating ()? and why do the docs say "May return null if the AuthenticationProvider is unable to support authentication of the passed Authentication object" ??? Should it not always support it? (Because we checked its compatibility via supports().)
Can you give an example where the provider needs to return null?
Thanks in advance.
CodePudding user response: