SEC-2515: Stackoverflow with @Bean AuthenticationManager

[spring-projects-issues]

Dave Syer (Migrated from SEC-2515) said:

This comes from an invalid configuration that tries to expose the AuthenticationManager as a Bean when no authentication has been configured. For example:

@EnableWebSecurity
@Configuration
public class StackOverflowSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean()
            throws Exception {
        return super.authenticationManagerBean();
    }
}

The stacktrace when trying to authenticate is this:

Exception in thread "http-nio-8080-exec-1" java.lang.StackOverflowError
    at ch.qos.logback.classic.Logger.isDebugEnabled(Logger.java:490)
    at ch.qos.logback.classic.Logger.isDebugEnabled(Logger.java:486)
    at org.apache.commons.logging.impl.SLF4JLocationAwareLog.isDebugEnabled(SLF4JLocationAwareLog.java:67)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:144)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:421)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)

...

Here's an example project: https://github.com/scratches/sparklr-boot/tree/feature/password

We should provide a better error message when this is misconfigured.

[idallas456]

I'm currently seeing this issue. Can someone please help me understand what the correct way to configure this is? I don't understand why this is an invalid configuration and the whole "no authentication has been configured" part.

[gsugambit]

Can someone answer @idallas456 ???

[gsugambit]

@idallas456 if you never found the answer, it's here on this stack overflow
https://stackoverflow.com/questions/21633555/how-to-inject-authenticationmanager-using-java-configuration-in-a-custom-filter

The problem was it should be: @bean(name = BeanIds.AUTHENTICATION_MANAGER)