SEC-2961: Configuring AuthenticationManagerBuilder with GlobalAuthenticationConfigurerAdapter fails

[spring-projects-issues]

Yves Alter (Migrated from SEC-2961) said:

I already posted this issue on stackoverflow some time ago, but I thought I better file this as a bug here, too.

According to the documentation of the SecurityConfigurer interface, the implementation of init(SecurityBuilder) should NOT set properties on the passed SecurityBuilder object. Instead this should be done in the configure(SecurityBuilder) method. So I tried the following implementation:

@Configuration
  protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {

  @Autowired
  private WebUserDetailsService userDetailsService;

  @Autowired
  private WebUserPasswordEncoder passwordEncoder;

  @Override
  public void configure (AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(this.userDetailsService).passwordEncoder(this.passwordEncoder);
  }
}

This configuration fails during startup due to the following check in the frameworks AbstractConfiguredSecurityBuilder:

 if(buildState.isConfigured()) {
   throw new IllegalStateException("Cannot apply "+configurer+" to already built object");
}

BuildState.isConfigured() has the following (suprising) implementation:

public boolean isConfigured() {
  return order >= CONFIGURING.order;
}

It actually checks, if the build is currently in the CONFIGURING phase (as stated in javadoc), but not if it already is configured (that would be the BUILT state, I guess), as the method name suggests.

So my question is: Is this expected behavior or is it a bug in the Java Configuration? All other examples I find on the web usually configure the builder in the init() method, so maybe I just don't understand the documentation correctly?

[spring-projects-issues]

Yves Alter said:

@rwinch any thoughts on this issue?