From the AuthenticationManager
's perspective, the AnonymousAuthenticationToken
which is created by then filter is already authenticated (the isAuthenticated
property is true
), so it doesn't try to authenticate it. Hence your provider is not called.
The simplest option would be to customize the AnonymousAuthenticationFilter
to use the authorities from your database directly.