Exception when declaring multiple AuthenticationManager beans

[ibaskine]

Describe the bug
After upgrading to Spring Security 5.4.1 my web application throws the following exception:

org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type 'org.springframework.security.authentication.AuthenticationManager' available: expected single matching bean but found 4: org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0,org.springframework.security.authentication.ProviderManager#0,org.springframework.security.authenticationManager,stdProviderManager at org.springframework.beans.factory.config.DependencyDescriptor.resolveNotUnique(DependencyDescriptor.java:220) at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1345) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1287) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:714)

I traced the problem to a new class org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration. As this class annotated with @configuration Spring tries to create corresponding bean definition and to autowire AuthenticationManager to it. As my application has multiple AuthenticationManager beans this attempt fails.

My application doesn't need HttpSecurityConfiguration bean, but I could not filter it out from component scab as the class if of package level so I cannot add reference to it to filter annotation.

To Reproduce
Add a second AuthenticatioManager to any Web Application using Spring Security.

Expected behavior
As a minimum there shall be a way of excluding HttpSecurityConfiguration from component scan

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

[eleftherias]

Thanks @ibaskine.

Which version are you upgrading from?

Could you share your security configuration and the full stack trace?

[ibaskine]

@eleftherias Thank you for taking look at it. I am upgrading from 5.3.4.RELEASE.

My security configuration is pretty complicated as our application supports multiple authentication modes and allows customers to configure a subset of authentication modes for their particular deployment. The configuration consists of more then ten XML files and bunch of Java code. I'll try to prepare simple reproduction example when I have a minute. Now we are at the end of release cycle so I am pretty busy. But I think you can easily reproduce it by adding additional AuthenticatioManager bean to your configuration. I am not sure you can do it easily with programmatic configuration but it pretty straightforward in XML configuration.

I believe that qualifying reference as @jcihocki suggested shall fix it. Another option can be to make HttpSecurityConfiguration public to make it possible to filter it out from component scan.

I also believe that there is a bug in core Spring framework. It shall not throw exception if it failed to autowire property annotated with @Autowired(required = false). It's up to you to log an issue if you think it's true.

[ystefanyshyn]

Hi, I'm facing exact same problem.

Minimal example to show problem can be found : https://github.com/ystefanyshyn/auth_manager_problem
It's a simple spring boot application with 2 custom AuthenticationManager.

Startup logs:

2020-12-24 15:59:31.425 WARN 15743 --- [ main] o.s.s.c.a.web.builders.WebSecurity :

---

********** Security debugging is enabled. *************
********** This may include sensitive information. *************
********** Do not use in a production system! *************

---

2020-12-24 15:59:31.431 WARN 15743 --- [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration': Unsatisfied dependency expressed through method 'setAuthenticationManager' parameter 0; nested exception is org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type 'org.springframework.security.authentication.AuthenticationManager' available: expected single matching bean but found 2: authManager1,authManager2
2020-12-24 15:59:31.435 INFO 15743 --- [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2020-12-24 15:59:31.451 INFO 15743 --- [ main] ConditionEvaluationReportLoggingListener :

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2020-12-24 15:59:31.468 ERROR 15743 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :

---

APPLICATION FAILED TO START

---

Description:

Parameter 0 of method setAuthenticationManager in org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration required a single bean, but 2 were found:

• authManager1: defined by method 'authenticationManager1' in class path resource [com/example/auth_manager_problem/SecurityConfig.class]
• authManager2: defined by method 'authenticationManager2' in class path resource [com/example/auth_manager_problem/SecurityConfig.class]

Hope it will help

[ibaskine]

@eleftherias Is it possible to expedite this defect? The version we are using now is failing OIDC certification so we need to upgrade pretty urgently.

[eleftherias]

Thanks for the sample @ystefanyshyn!
I'm taking a look at this now.