spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Security raise StackOverflowError using authenticationManagerBuilder when user have wrong credentials

Open darkman97i opened this issue 2 years ago • 4 comments

** Versions **

  • Spring boot version: 2.7.1
  • Spring security 5.7
  • JDK version: 1.11

I have previously added an issue at https://github.com/spring-projects/spring-boot/issues/31836 and they redirect to possible spring-security bug or wrong configuration with the authenticationManagerBuilder

Describe the bug I'm moving from old authentication style to the new authentication style based on the article published in the blog spring-security-without-the-websecurityconfigureradapter -> before adding the issue I have looking in stackoverflow for similar issue, here in closed issues, dead loops etc... but I have not been able to find anything in the same direction.

Everythings goes fine, except when I introduce bad credentials, then the application seems go into a loop until it is raised an java.lang.StackOverflowError: null ( here the full error stack trace error.txt)

To Reproduce I have created a sample code at https://github.com/darkman97i/spring-security-test ( in the sample I'm using two providers inmemory and jdbc. Also I included h2 database with user credentials into for a quick test ).

Thanks for your time

darkman97i avatar Jul 21 '22 17:07 darkman97i

Thanks for the report @darkman97i, this might be a duplicate of https://github.com/spring-projects/spring-security/issues/11088.

It should be confirmed as soon as someone from the team picks this up to analyze.

marcusdacoregio avatar Jul 21 '22 18:07 marcusdacoregio

Any new about this matter?

Will be possible share some documentation link or sample where be shown how to register serveral authentication providers. Using a XML definition file it works without problems I share here a sample:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd
                                 http://activemq.apache.org/schema/core
                                 http://activemq.apache.org/schema/core/activemq-core.xsd">

  <!-- Security delegated to classes -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
	  <security:password-encoder hash="bcrypt"/>
      <security:user-service>
        <security:user name="okmAdmin" password="$2a$10$Bdtf491GqHtM1P63G/jWIOgKWEAcrxLmhxVJbRSX93fOJA1Pzu5ae" authorities="ROLE_ADMIN" />
      </security:user-service>
    </security:authentication-provider>
    <security:authentication-provider>
      <security:password-encoder hash="bcrypt"/>
      <security:jdbc-user-service
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>  
  
</beans:beans>

But doing the same in code it is a headache, can please indicate some documentation or sample what really explain how doing the same with code. Thanks for your time.

darkman97i avatar Aug 04 '22 07:08 darkman97i

You can expose the AuthenticationManager yourself:

@Bean
AuthenticationManager apiAuthenticationManager(InMemoryUserDetailsManager users, JdbcUserDetailsManager jdbcUsers) {
    DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
    provider.setUserDetailsService(users);
    DaoAuthenticationProvider jdbcProvider = new DaoAuthenticationProvider();
    jdbcProvider.setUserDetailsService(jdbcUsers);
    return new ProviderManager(provider, jdbcProvider);
}

marcusdacoregio avatar Sep 01 '22 18:09 marcusdacoregio

@marcusdacoregio Thanks a lot for your time. I will test.

darkman97i avatar Sep 02 '22 11:09 darkman97i

@marcusdacoregio Sorry for my late reply. It worked perfectly, thanks for your help. In the spring-boot issue, I have written a full sample based in your recommendations https://github.com/spring-projects/spring-boot/issues/31836

For me you can close the issue.

darkman97i avatar Nov 23 '22 18:11 darkman97i