Spring AuthenticationManager and circular dependency

Question

I am in a situation were I need two login mechanisms for a single endpoint.
I have applied the suggestion from Using multiple WebSecurityConfigurerAdapter in spring boot and have now ran into an issue wit the AuthenticationManager.

The AuthenticationManager lives in the WebSecurityConfigurerAdapter and is needed in the implementation of the ServiceWebSecurityConfigurer. However the ServiceWebSecurityConfigurer is used in the implementation of the WebSecurityConfigurerAdapter making a circular dependency.

@Configuration
@EnableWebSecurity
public class UnitedSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Autowired
  private List<ServiceWebSecurityConfigurer> serviceWebSecurityConfigurers;

  @Override
  public void configure(HttpSecurity http) {
    serviceWebSecurityConfigurers.forEach(configurer -> configure.config(http));
  }

  @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
  @Override
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }
}

@Configuration
public class SecurityConfiguration implements ServiceWebSecurityConfigurer {
  @Autowired
  private AuthenticationManager authenticationManager;

  @Bean
  public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
    SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();

  // AuthenticationManager needed here
    samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager);
    
    return samlWebSSOHoKProcessingFilter;
  }
}

How can I get out of this situation?

Why are you specifying an override that does nothing obvious? — chrylis -cautiouslyoptimistic-, Jan 20 '21 at 11:07
The override of authenticationManagerBean() is because AuthenticationManager is not a bean - hence the @Bean annotation — homaxto, Jan 20 '21 at 11:31
If you're using the latest Spring, the need for `@Autowired` fields on configuration classes has been removed, and I suggest you take it out. That said, have you tried using `@Lazy` on either `serviceWebSecurityConfigurers` or `authenticationManager`? — chrylis -cautiouslyoptimistic-, Jan 20 '21 at 11:43
I did not know @Lazy - this was the trick. If you add an answer I will accept it :-) Thanks a lot. — homaxto, Jan 20 '21 at 15:58

score 2 · Accepted Answer · answered Jan 20 '21 at 22:59

To very simply address your most pressing issue, make one of the references @Lazy; this tells Spring to use a lazy proxy, which can resolve circularity problems. I strongly recommend doing it this way:

@Bean
public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter(
  @Lazy AuthenticationManager authenticationManager // use parameters instead of fields
) { ... } // don't use unnecessary throws clauses

Spring AuthenticationManager and circular dependency

1 Answers1