How do I set a custom AuthenticationProvider when using VaadinWebSecurity?

We use a custom authentication and authorisation library and for that to work I always used to set the AuthenticationProvider via the AuthenticationManagerBuilder like so:

    protected void configure(AuthenticationManagerBuilder auth) {
However, now that I upgraded from Vaadin 14 to 23.3 this won't work anymore as I get a nondescript error once I navigate to the application. I therefore decided to use `VaadinWebSecurity` as explained here ( to get it working. But when I extend  `VaadinWebSecurity` I can't set the `AuthenticationProvider` as I did before because there is no `protected void configure(AuthenticationManagerBuilder auth)` to override in  `VaadinWebSecurity`. 
Does anyone know of a different way to set it? Thanks!

You can do something like this:

public class SecurityConfig {

    private CustomAuthenticationProvider authProvider;

    public AuthenticationManager authManager(HttpSecurity http) throws Exception {
        AuthenticationManagerBuilder authenticationManagerBuilder = 

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {


Basically, you just need to provide a suitable @Bean method that provides you the authentication manager or user details service, Spring Security can take it into use automatically

Thanks to the both of you, I wasn’t aware of those approaches! :slightly_smiling_face:

I am new to Vaadin and have a similar question: is there a good tutorial on how to use da database backed login/authentication instead of using a InMemoryUserDetailsManager?

You can download a project in (with authentication activated) and use the securityconfiguration. It uses by default the database

(Or here for example: actuator-vaadin/src/main/java/com/example/application/security at d1f2981c9acb78f902d2082ad60e2fa730e5d76e · jcgueriaud1/actuator-vaadin · GitHub)

If you don’t configure the userService in the SecurityConfiguration, it will look for a bean that implements UserDetailsService like this:

It’s a bit magic (i.e. the code inside spring security is awfully complex :smiling_face_with_tear: )

Thank you for the fast response! I downloaded a start.vaadin-project and had a look on it: i think it is what i was looking for. Thank you!