Bug
Infinite recursion in WebSecurityConfigurerAdapter.java.
Refer PR where this issue and its solution are committed.
To Reproduce
1. Implement JWT Token with the longest expiration time. Then did some changes in both implementations of WebSecurityConfigurerAdapter. (NOTE: I have two Implementation of WebSecurityConfigurerAdapter)
2. Those changes made in code lead to a state such that, UserDetailsService(Interface) is auto wired with UserDetailsServiceDelegator (Inner class of the WebSecurityConfigurerAdapter)
3. Used JWT token generated in step 1 to GET data from the secure END (i.e. /helloworld)
4. JWT Filter will perform this action userDetailsService.loadUserByUsername(username) (ISSUE Infinite recursion loop in the method userDetailsService.loadUserByUsername when userDetailsService is instance of UserDetailsServiceDelegator)
5. I am not able to simulate the 2nd step right now UserDetailsService(Interface) is auto wiring with InMemoryUserDetailsManager which it actually should in a positive case. Not sure how I managed to get in 2nd step's state earlier.
Refer Below Image for classes mention above.
NOTE: I did not get an issue with AuthenticationManagerDelegator.authenticate() but By looking at the code it clearly visible that it suffers from the same infinite recursion loop when this == this.delegate (refer to the code change I have proposed or look at the source code )
Expected behavior
Instead of going into the Infinite recursion, it should follow the positive flow or should throw any Exception (Which I have suggested as a solution in PR. I am throwing IllegalStateException). Code MUST NOT go into infinite recursion (i.e. Stack overflow state)
Comment From: marcusdacoregio
Hi @Milan-Toliya, I could not simulate the issue here since there is a lot of unknown stuff going on.
I did research on the repository's issues and did not find anything related, we really need a minimal, reproducible sample so we can make sure that this is a problem with Spring Security and not with the application setup. Are you able to isolate the issue?
Thank you.
Comment From: Milan-Toliya
Hi @marcusdacoregio
I am able to simulate the issue of infinite recursion for the authentication method instead of the loadUserByUsername method.
I will share the code here so you have look.
Comment From: Milan-Toliya
Hi @marcusdacoregio,
Apologies for the late reply.
As per the earlier discussion what I am able to reproduce is the authentication method infinite recursion instead of the loadUserByUsername method infinite recursion.
I have uploaded the code to my Github repository. Focus only on the package com.demo.springboot.config
Note: I have figured out the issue and fixed it in the actual project. The above project is just for the reference for the fix of https://github.com/spring-projects/spring-security/pull/11071
Thanks.
Comment From: marcusdacoregio
Hi @Milan-Toliya, I took a look at your repository but there is a lot going on. Also, there are no steps to reproduce the issue so it became hard for me to figure out what is happening.
In order to be able to simulate the problem, we really need a minimal, reproducible sample with tests or steps to reproduce the issue.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: marcusdacoregio
Closing in favor of https://github.com/spring-projects/spring-security/issues/12343