Security raise StackOverflowError using authenticationManagerBuilder when user have wrong credentials

[darkman97i]

** Versions **

• Spring boot version: 2.7.1
• Spring security 5.7
• JDK version: 1.11

I have previously added an issue at spring-projects/spring-boot#31836 and they redirect to possible spring-security bug or wrong configuration with the authenticationManagerBuilder

Describe the bug
I'm moving from old authentication style to the new authentication style based on the article published in the blog spring-security-without-the-websecurityconfigureradapter -> before adding the issue I have looking in stackoverflow for similar issue, here in closed issues, dead loops etc... but I have not been able to find anything in the same direction.

Everythings goes fine, except when I introduce bad credentials, then the application seems go into a loop until it is raised an java.lang.StackOverflowError: null ( here the full error stack trace error.txt)

To Reproduce
I have created a sample code at https://github.com/darkman97i/spring-security-test ( in the sample I'm using two providers inmemory and jdbc. Also I included h2 database with user credentials into for a quick test ).

Thanks for your time

[marcusdacoregio]

Thanks for the report @darkman97i, this might be a duplicate of #11088.

It should be confirmed as soon as someone from the team picks this up to analyze.

[darkman97i]

Any new about this matter?

Will be possible share some documentation link or sample where be shown how to register serveral authentication providers. Using a XML definition file it works without problems I share here a sample:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd
                                 http://activemq.apache.org/schema/core
                                 http://activemq.apache.org/schema/core/activemq-core.xsd">

  <!-- Security delegated to classes -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
	  <security:password-encoder hash="bcrypt"/>
      <security:user-service>
        <security:user name="okmAdmin" password="$2a$10$Bdtf491GqHtM1P63G/jWIOgKWEAcrxLmhxVJbRSX93fOJA1Pzu5ae" authorities="ROLE_ADMIN" />
      </security:user-service>
    </security:authentication-provider>
    <security:authentication-provider>
      <security:password-encoder hash="bcrypt"/>
      <security:jdbc-user-service
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>  
  
</beans:beans>

But doing the same in code it is a headache, can please indicate some documentation or sample what really explain how doing the same with code. Thanks for your time.

[marcusdacoregio]

You can expose the AuthenticationManager yourself:

@Bean
AuthenticationManager apiAuthenticationManager(InMemoryUserDetailsManager users, JdbcUserDetailsManager jdbcUsers) {
    DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
    provider.setUserDetailsService(users);
    DaoAuthenticationProvider jdbcProvider = new DaoAuthenticationProvider();
    jdbcProvider.setUserDetailsService(jdbcUsers);
    return new ProviderManager(provider, jdbcProvider);
}

[darkman97i]

@marcusdacoregio Thanks a lot for your time. I will test.

[darkman97i]

@marcusdacoregio Sorry for my late reply. It worked perfectly, thanks for your help. In the spring-boot issue, I have written a full sample based in your recommendations spring-projects/spring-boot#31836

For me you can close the issue.