'Can't use WebSecurityConfigurerAdapter in a custom spring boot starter
I'm trying to create my own spring boot starter for my custom security configuration (LDAP + JWT) via defining configuration class which extends from WebSecurityConfigurerAdapter. However, when I launch my application with this starter I get:
IllegalStateException: Found WebSecurityConfigurerAdapter as well as SecurityFilterChain.
Please select just one.
I found out that it's not possible any longer to do that due to this issue of the spring security. There is an assertion in WebSecurityConfiguration of the spring:
I solved this adding to the starter the following (according to the issue):
@Bean
@Order(1) //Explanation for this below
open fun filterChain(http: HttpSecurity, jwtHelper: JwtHelper): SecurityFilterChain {
return http.authorizeRequests()
...
.addFilterBefore(JwtAuthenticationFilter(jwtHelper), UsernamePasswordAuthenticationFilter::class.java)
.and().build()
}
@Bean
open fun authenticationProvider(ldapConfig: LdapConfig): ActiveDirectoryLdapAuthenticationProvider {
return ActiveDirectoryLdapAuthenticationProvider(...)
}
I added @Order(1) because there are two securityFilterChains: mine (defined in the configurartion above) and another one from an unknown source. I suppose, the latter is the reason of impossibility of using WebSecurityConfigurerAdapter.
The main problem is that I can't find where that comes from.
Breakpoint from WebSecurityConfiguration... just in case:
I assume, because of that I can't use @EnableGlobalMethodSecurity(prePostEnabled = true)
as well. It says:
Cannot apply org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer
to already built object
Here is list of my dependencies:
- Module with models which is used by the starter (name: my-ldap-security-model):
dependencies {
compileOnly 'org.springframework.security:spring-security-core'
compileOnly 'org.springframework:spring-web'
compileOnly 'javax.servlet:javax.servlet-api'
api 'jakarta.xml.bind:jakarta.xml.bind-api'
api 'org.glassfish.jaxb:jaxb-runtime'
api 'io.jsonwebtoken:jjwt'
}
- Module with models which is used by the starter (name: my-ldap-security-spring-boot-starter):
dependencies {
compile project(':my-ldap-security-model')
compileOnly 'javax.servlet:javax.servlet-api'
api 'org.springframework.security:spring-security-core'
api 'org.springframework.security:spring-security-config'
api 'org.springframework.security:spring-security-web'
api 'org.springframework:spring-web'
api 'org.springframework.security:spring-security-ldap'
}
- App project:
dependencies {
implementation('org.springframework.boot:spring-boot-starter-web')
implementation('com.demo.boot:my-ldap-security-spring-boot-starter:0.0.1')
}
Please, help me find out the root of that filter.
Solution 1:[1]
Initially, the default SecurityFilterChain are disabled if there is any WebSecurityConfigurerAdapter. However, it doesn't work if the priority of the spring security auto-configuration is higher than auto-configuration with your WebSecurityConfigurerAdapter.
Solution: I added @AutoConfigureOrder(Ordered.HIGHEST_PRECEDENCE + 10) above the auto-configuration class. There is no default security filter chain any longer :)
About @EnableGlobalMethodSecurity... It was about caches. Suddenly, it got fixed.
Solution 2:[2]
For googlers
You can't use
@Bean
public SecurityFilterChain filterChain(HttpSecurity http)...
while extending WebSecurityConfigurerAdapter.
Either choose above one or only override
@Override
protected void configure(HttpSecurity http)
Solution 3:[3]
Take a look at project structure, there might be a securityFilterChain coming from xml configuration rather than class extension. XML with http tag.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Vlad Yurevich |
| Solution 2 | Shree Krishna |
| Solution 3 | mabreu0 |