Skip to content

Fix Infinite recursion WebSecurityConfigurerAdapter.java #11071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Fix Infinite recursion WebSecurityConfigurerAdapter.java #11071

wants to merge 4 commits into from

Conversation

Milan-Toliya
Copy link

Fixed Infinite recursion issue during authenticate and loadUserByUsername method execution.

@Milan-Toliya
Fix Infinite recursion WebSecurityConfigurerAdapter.java
d7fefb7 
Fixed Infinite recursion issue during authenticate and loadUserByUsername method execution.
@pivotal-cla
Copy link

@Milan-Toliya Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 7, 2022
@pivotal-cla
Copy link

@Milan-Toliya Thank you for signing the Contributor License Agreement!

@marcusdacoregio
Copy link
Contributor

Hi @Milan-Toliya, thanks for contributing to Spring Security. Have you opened an issue before working on the code changes?

Can you help me understand what this PR fixes and what is the use case?

@marcusdacoregio marcusdacoregio added status: waiting-for-feedback We need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 7, 2022
@marcusdacoregio marcusdacoregio self-assigned this Apr 7, 2022
@Milan-Toliya
Copy link
Author

Hi @marcusdacoregio I did not open an issue before submitting this patch.

With respect to Use case, I was trying to implement security filter in the web app. I Implemented WebSecurityConfigurerAdapter and used InMemoryUserDetailsManager to store user details.

I did Implemented WebSecurityConfigurerAdapter twice in the same project. It was causing issue in boot up, I fixed that by adding @Order(0) in one class. Now It was time to test /authenticate API. During testing of authentication end point it was going in infinite recursion which is not acceptable in any use case.

I have eliminated Infinite recursion by throwing an Exception when this == this.delegate.

I may have missed important details to share here as I'm new to the spring community. Please Let me know if more details required.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 7, 2022
@marcusdacoregio
Copy link
Contributor

Thanks @Milan-Toliya.

Are you able to create a minimal, reproducible example so I can simulate your scenario here? There are many constraints in your use case that I'd like to verify before moving on with the PR.

It'd also be great if you could open an issue and add the example and all other details there.

@marcusdacoregio marcusdacoregio added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Apr 7, 2022
@Milan-Toliya
Copy link
Author

Milan-Toliya commented Apr 8, 2022
edited
Loading

Hi @marcusdacoregio

I tried to reproduce but had no luck. I will share the code once I am able to reproduce it.

Steps to reproduce:

  1. Implement JWT Token with the longest expiration time. Then did some changes in both implementations of WebSecurityConfigurerAdapter. (NOTE: I have two Implementation of WebSecurityConfigurerAdapter)
  2. Those changes made in code lead to a state such that, UserDetailsService(Interface) is auto wired with UserDetailsServiceDelegator (Inner class of the WebSecurityConfigurerAdapter)
  3. Used JWT token generated in step 1 to GET data from the secure END (i.e. /helloworld)
  4. JWT Filter will perform this action userDetailsService.loadUserByUsername(username) (ISSUE Infinite recursion loop in the method userDetailsService.loadUserByUsername when userDetailsService is instance of UserDetailsServiceDelegator)
  5. I am not able to simulate the 2nd step right now UserDetailsService(Interface) is auto wiring with InMemoryUserDetailsManager which it actually should in a positive case. Not sure how I managed to get in 2nd step's state earlier.

Refer Below Image for classes mention above.
image

NOTE: I did not get an issue with AuthenticationManagerDelegator.authenticate() but By looking at the code it clearly visible that it suffers from the same infinite recursion loop when this == this.delegate (refer to the code change I have proposed or look at the source code )

Thanks.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 8, 2022
@Milan-Toliya Milan-Toliya mentioned this pull request Apr 9, 2022
Closed
@Milan-Toliya
Copy link
Author

Hi @Milan-Toliya, thanks for contributing to Spring Security. Have you opened an issue before working on the code changes?

Can you help me understand what this PR fixes and what is the use case?

Hi, @marcusdacoregio I have opened an issue for this PR.
#11088

marcusdacoregio
marcusdacoregio suggested changes May 9, 2022
View reviewed changes
Copy link
Contributor

@marcusdacoregio marcusdacoregio left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Milan-Toliya, while we cannot simulate the root problem that is happening, this was brought to the team's attention and we think that your changes make sense since it's "cheaper" to throw an IllegalStateException than waiting for the StackOverflowError to happen.

If users have configured things in an unsupported way, throwing an IllegalStateException feels like an improvement from an error handling perspective.

Did you try adding any tests?

@marcusdacoregio marcusdacoregio added type: enhancement A general enhancement in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels May 9, 2022
Milan-Toliya and others added 3 commits May 12, 2022 11:21
@Milan-Toliya @marcusdacoregio
Update config/src/main/java/org/springframework/security/config/annot…
35352c8 
…ation/web/configuration/WebSecurityConfigurerAdapter.java

Co-authored-by: Marcus Hert Da Coregio <[email protected]>
@Milan-Toliya @marcusdacoregio
Update config/src/main/java/org/springframework/security/config/annot…
5c1c1ef 
…ation/web/configuration/WebSecurityConfigurerAdapter.java

Co-authored-by: Marcus Hert Da Coregio <[email protected]>
@Milan-Toliya
Update WebSecurityConfigurerAdapter.java
1d04305 
Corrected message
@marcusdacoregio marcusdacoregio mentioned this pull request Dec 5, 2022
Closed
@marcusdacoregio marcusdacoregio added the status: declined A suggestion or change that we don't feel we should currently apply label Dec 16, 2022
@marcusdacoregio
Copy link
Contributor

Closing in favor of #12343

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusdacoregio marcusdacoregio Awaiting requested review from marcusdacoregio

Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Milan-Toliya @pivotal-cla @marcusdacoregio @spring-projects-issues