I have configured spring security using:
@Import(SecurityProblemSupport.class)
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthenticationProvider authenticationProvider;
@Autowired
private CustomUserDetailService customUserDetailService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
auth.userDetailsService(customUserDetailService);
super.configure(auth);
}
Everything work as expected. The Rest authentication provider is a Component which implements AuthenticationProvider:
@Component
public class RestAuthenticationProvider implements AuthenticationProvider {
The problem is that, if I ADD in the classpath another @Component which extends AbstractUserDetailAuthenticationProvider, the RestAuthenticationProvider is not used anymore; instead spring uses one default provider, using the UserDetailService specified in configuration. There are no other links to this CustomAuthenticationProvider. It's just in the same package. The same thing happens if I use in configuration the CustomProvider but the Rest one is annotated with component and not used anywere else.
@Component // <- if I remove this, everything works fine.
public class CustomUserAuthenticationProvider extends
AbstractUserDetailsAuthenticationProvider {
Using :
```java @ConditionalOnProperty(name = "authprovider", havingValue = "custom") public class CustomUserAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider { ````
on both beans, and injecting one or the other in the config bean an then set it in the configure method, will cause a strange behaviour:
None of them will be registered as providers, causing spring to use a "default" DaoAuthentication provider.
I've also reported this issue on stackoverflow and I've bypassed the problem as stated in the accepted answer:
https://stackoverflow.com/questions/60027878/spring-security-multiple-authenticationproviders/60187088#60187088
Comment From: jzheaux
@GaetanoPiazzolla thanks for the report - the scenario sounds simple enough to recreate, but just to make sure it's clear, would you please create a minimal sample on GitHub that reproduces the issuer? I'll take a look and see what can be done.
Comment From: GaetanoPiazzolla
@GaetanoPiazzolla thanks for the report - the scenario sounds simple enough to recreate, but just to make sure it's clear, would you please create a minimal sample on GitHub that reproduces the issuer? I'll take a look and see what can be done.
@jzheaux Yes! I'll do it this weekend.
Comment From: GaetanoPiazzolla
@jzheaux here it is: https://github.com/GaetanoPiazzolla/spring-security-issue-7977 thank you.
Comment From: jzheaux
@GaetanoPiazzolla is all of the code in that sample necessary to reproduce the issue? I want to make sure we are focusing on the right thing.
For example, if you take out all the JWT support code, for example, does the error still occur? If so, would you mind removing it from the sample? The same goes for anything else in the project that is unnecessary to reproduce the issue.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.