problem-spring-web: IllegalStateException: Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.
Description
The ProblemSecurityAutoConfiguration registers a WebSecurityConfigurerAdapter
and causes this issue when combined with the spring-boot-security-starter
causes https://github.com/spring-projects/spring-security/issues/9295.
Expected Behavior
Exception above.
Actual Behavior
Register configurer if and only if we don’t interfere with the default.
Possible Fix
Steps to Reproduce
Context
Your Environment
- Version used:
- Link to your project:
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 2
- Comments: 15 (1 by maintainers)
This is how I managed to get a working test but I had to manually configure the Problem Security support (so I don’t like the solution at all):
SpringSecurityExceptionTest.java
Sample test to show the problem:
pom.xml
SpringSecurityExceptionTest.java
The tests pass.
If I add
problem-spring-web
:pom.xml
Same
SpringSecurityExceptionTest.java
as before.The Spring context can’t be build.
If I exclude the
ProblemSecurityAutoConfiguration
and adapt the expected json respone check for thetestAccessDenied()
:The
testAccessDenied()
do not pass as an error 500 is issued (instead of the expected 403).@Monax111 you can disable ProblemSecurityAutoConfiguration by:
But the problem then, @whiskeysierra, is that if a security exception is thrown the
org.zalando.problem.spring.web.autoconfigure.ExceptionHandling#handlleThrowable(Throwable, NativeWebRequest)
is invoked and produces a 500 INTERNAL_SERVER_ERROR (as the Problem implementation for Spring Security Exceptions has not been configured)@whiskeysierra any idea on how to configure the Problem support for Spring Security but not getting the
IllegalStateException: Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one
?Looks like
org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration
(imported fromorg.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
) is the culprit of creating theSecurityFilterChain
.