One of the complexities with parsing the namespace is that it is necessary to render the authentication providers created by the <http> block with the single AuthenticationManager instance that is used. This makes it difficult to satisfy requests like that in
SEC-1095, which wish to use a separately defined AuthenticationManager from a parent context. It also makes it difficult to allow multiple <http> blocks, which we are moving towards as an option by removing the use of globally unique bean names for filters etc.
It should be possible for all the beans registered by the <http> block to use an internal AuthenticationManager instance which ultimately delegates to the "parent" instance which contains the real providers which the user registers. One way to achieve this would be by introducing the concept of a parent in ProviderManager. The internal instance would also probably be responsible for concurrent session checking.