Spring Security IllegalStateException: Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.

The class org.springframework.security.config.annotation.web.configurationWebSecurityConfiguration declares a springSecurityFilterChain bean. The method first verifies if there exist both securityFilterChains and webSecurityConfigurers. If both exists it throws an IllegalStateException as in the issue title. I have this same problem, i can't figure out how to have one without the other.

I'm using the keycloak spring boot starter that declares both the abstract class KeycloakWebSecurityConfigurerAdapter(a WebSecurityConfigurer) and the Annotation @KeycloakConfiguration which implicitly imports @EnableWebSecurity. With this constellation, there is no way i can get around the thrown error.

And when i see this example below, i wonder how this works because both a WebSecurityConfigurer is defined and the annotation @EnableWebSecurity is being used.

https://github.com/spring-projects/spring-security/blob/9effebe93475a685b156de364a4704cc95c10124/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java#L32

Can some one please clarify me?

Comment From: jzheaux

@ronadjom, thanks for reaching out.

Spring Security 5.4 adds support for publishing a SecurityFilterChain @Bean; however, there is no clear way to order SecurityFilterChain beans and WebSecurityConfigurerAdapter beans. This is why you need to pick one or the other.

I'm not an expert with the Keycloak Spring Boot Starter, but its maintainers may not have updated it yet to be compatible with Spring Boot 2.4.

I'd be happy to dig into this a bit - can you please provide a minimal GitHub sample that reproduces the issue?

Comment From: ronadjom

Thanks to you @jzheaux for being that quick. I will be reaching out very soon with an example.

Comment From: ronadjom

Hi @jzheaux

i made a test project and security worked there with the keycloak boot starter. So i told my self there is definitely a dependency thats injecting the springSecurityChain out of the box in my initial project.

So i debugged and discovered i had a dev-tools dependency which has the configuration RemoteDevtoolsSecurityConfiguration which injects the security filter chain automatically, which does not support WebSecurityConfigurer provided by the keycloak boot starter.

So i actually solved my issue by removing the dependency to devtools. I'm happy i'm not currently needing devtools, else it would have been a big issue.

Thank you very much for your help with the link.

Comment From: Monax111

Is there a workaround to make Spring 2.4 work with keylock?

Comment From: jzheaux

@Monax111 I think it's best to ask the Keycloak team.

Comment From: krunalshahbeit2006

any solution found?

Comment From: jzheaux

@krunalshahbeit2006 please see https://github.com/spring-projects/spring-security/issues/9295#issuecomment-793127400

I'm going to close this issue as answered. If someone can demonstrate that this is an issue with Spring Security, please post a minimal sample, and I'd be happy to take a look. Otherwise, StackOverflow is a better forum to get debugging support.