Describe the bug After upgrading to Spring Security 5.4.1 my web application throws the following exception:
org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type 'org.springframework.security.authentication.AuthenticationManager' available: expected single matching bean but found 4: org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0,org.springframework.security.authentication.ProviderManager#0,org.springframework.security.authenticationManager,stdProviderManager at org.springframework.beans.factory.config.DependencyDescriptor.resolveNotUnique(DependencyDescriptor.java:220) at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1345) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1287) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:714)
I traced the problem to a new class org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration. As this class annotated with @Configuration Spring tries to create corresponding bean definition and to autowire AuthenticationManager to it. As my application has multiple AuthenticationManager beans this attempt fails.
My application doesn't need HttpSecurityConfiguration bean, but I could not filter it out from component scab as the class if of package level so I cannot add reference to it to filter annotation.
To Reproduce Add a second AuthenticatioManager to any Web Application using Spring Security.
Expected behavior As a minimum there shall be a way of excluding HttpSecurityConfiguration from component scan
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.
Comment From: eleftherias
Thanks @ibaskine.
Which version are you upgrading from?
Could you share your security configuration and the full stack trace?
Comment From: ibaskine
@eleftherias Thank you for taking look at it. I am upgrading from 5.3.4.RELEASE.
My security configuration is pretty complicated as our application supports multiple authentication modes and allows customers to configure a subset of authentication modes for their particular deployment. The configuration consists of more then ten XML files and bunch of Java code. I'll try to prepare simple reproduction example when I have a minute. Now we are at the end of release cycle so I am pretty busy. But I think you can easily reproduce it by adding additional AuthenticatioManager bean to your configuration. I am not sure you can do it easily with programmatic configuration but it pretty straightforward in XML configuration.
I believe that qualifying reference as @jcihocki suggested shall fix it. Another option can be to make HttpSecurityConfiguration public to make it possible to filter it out from component scan.
I also believe that there is a bug in core Spring framework. It shall not throw exception if it failed to autowire property annotated with @Autowired(required = false). It's up to you to log an issue if you think it's true.
Comment From: ystefanyshyn
Hi, I'm facing exact same problem.
Minimal example to show problem can be found : https://github.com/ystefanyshyn/auth_manager_problem It's a simple spring boot application with 2 custom AuthenticationManager.
Startup logs:
2020-12-24 15:59:31.425 WARN 15743 --- [ main] o.s.s.c.a.web.builders.WebSecurity :
* Security debugging is enabled. * * This may include sensitive information. *** * Do not use in a production system! **
2020-12-24 15:59:31.431 WARN 15743 --- [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration': Unsatisfied dependency expressed through method 'setAuthenticationManager' parameter 0; nested exception is org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type 'org.springframework.security.authentication.AuthenticationManager' available: expected single matching bean but found 2: authManager1,authManager2 2020-12-24 15:59:31.435 INFO 15743 --- [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat] 2020-12-24 15:59:31.451 INFO 15743 --- [ main] ConditionEvaluationReportLoggingListener :
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled. 2020-12-24 15:59:31.468 ERROR 15743 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
APPLICATION FAILED TO START
Description:
Parameter 0 of method setAuthenticationManager in org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration required a single bean, but 2 were found: - authManager1: defined by method 'authenticationManager1' in class path resource [com/example/auth_manager_problem/SecurityConfig.class] - authManager2: defined by method 'authenticationManager2' in class path resource [com/example/auth_manager_problem/SecurityConfig.class]
Hope it will help
Comment From: ibaskine
@eleftherias Is it possible to expedite this defect? The version we are using now is failing OIDC certification so we need to upgrade pretty urgently.
Comment From: eleftherias
Thanks for the sample @ystefanyshyn! I'm taking a look at this now.
Comment From: eleftherias
@ystefanyshyn @ibaskine This is fixed in 5.5.0-M2 and backported to 5.4.3 via #9332.
Comment From: ibaskine
@eleftherias Thank you very much!
Comment From: ystefanyshyn
@eleftherias thanks