I'm using
Spring Boot 2.7.12 Spring Security 5.8.3
(I did test with Spring Boot 3.1.0, and I am facing the same issue)
Describe the bug
I encounter a StackOverflowError exception when trying to access /filter endpoint.
> curl localhost:8080/me -H "X-User: A"
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Filter execution threw an exception</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.servlet.ServletException: Filter execution threw an exception
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
</pre><p><b>Root Cause</b></p><pre>java.lang.StackOverflowError
java.base/java.lang.Exception.<init>(Exception.java:103)
java.base/java.lang.ReflectiveOperationException.<init>(ReflectiveOperationException.java:90)
java.base/java.lang.reflect.InvocationTargetException.<init>(InvocationTargetException.java:67)
jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.base/java.lang.reflect.Method.invoke(Method.java:568)
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
jdk.proxy5/jdk.proxy5.$Proxy70.authenticate(Unknown Source)
jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.base/java.lang.reflect.Method.invoke(Method.java:568)
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
jdk.proxy5/jdk.proxy5.$Proxy70.authenticate(Unknown Source)
jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.base/java.lang.reflect.Method.invoke(Method.java:568)
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
jdk.proxy5/jdk.proxy5.$Proxy70.authenticate(Unknown Source)
jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.base/java.lang.reflect.Method.invoke(Method.java:568)
// omitted
To Reproduce I have the following configuration
@EnableWebSecurity(debug = true)
@Configuration
public class WebSecurityConfig {
/**
* This allows us to get an instance of the {@code AuthenticationManager} so to inject into {@code RequestHeaderAuthenticationFilter}
*/
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter(AuthenticationManager authenticationManager) {
RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter = new RequestHeaderAuthenticationFilter();
requestHeaderAuthenticationFilter.setPrincipalRequestHeader("X-User");
requestHeaderAuthenticationFilter.setExceptionIfHeaderMissing(true);
requestHeaderAuthenticationFilter.setAuthenticationManager(authenticationManager);
return requestHeaderAuthenticationFilter;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
return http
.authorizeHttpRequests(authz -> authz.anyRequest().authenticated())
.addFilter(requestHeaderAuthenticationFilter(authenticationManager))
.build();
}
}
And a simple controller endpoint
@RestController
public class FilterController {
@GetMapping("/filter")
public String filter() {
return "filter";
}
}
Expected behavior
The request should be processed, and thus, returning filter as the response.
Sample
You can find the reproduce over at spring-security-stackoverflow-error
Comment From: marcusdacoregio
Hi @bwgjoseph, this issue is probably related to the way you are exposing the AuthenticationManager, see this answer for more details.
If you believe this is a different problem, we can reopen this issue.
See: - https://github.com/spring-projects/spring-security/issues/12343