vishnu
Reputation: 197
Getting "Can't configure anyRequest after itself" error after upgrading spring-security-web to 5.6.9
I'm getting the below exception after upgrading spring-security-web dependency from 4.2.20.RELEASE to 5.6.9. The error is
Can't configure anyRequest after itself
Given below is the detailed logging information.
Caused by: java.lang.IllegalStateException: Can't configure anyRequest after itself
at org.springframework.util.Assert.state(Assert.java:76) ~[spring-core-5.3.17.jar:5.3.17]
at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.anyRequest(AbstractRequestMatcherRegistry.java:76) ~[spring-security-config-5.6.9.jar:5.6.9]
at com.premierinc.trs.user.config.ProvisioningSecurityConfig.configure(ProvisioningSecurityConfig.java:32) ~[user-1.5.6.1-SNAPSHOT.jar:?]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.getHttp(WebSecurityConfigurerAdapter.java:217) ~[spring-security-config-5.6.9.jar:5.6.9]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:315) ~[spring-security-config-5.6.9.jar:5.6.9]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:93) ~[spring-security-config-5.6.9.jar:5.6.9]
at com.premierinc.trs.user.config.ProvisioningSecurityConfig$$EnhancerBySpringCGLIB$$8b2eea9c.init(<generated>) ~[user-1.5.6.1-SNAPSHOT.jar:?]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:338) ~[spring-security-config-5.6.9.jar:5.6.9]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:300) ~[spring-security-config-5.6.9.jar:5.6.9]
at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-5.6.9.jar:5.6.9]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:127) ~[spring-security-config-5.6.9.jar:5.6.9]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_341]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_341]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_341]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_341]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.17.jar:5.3.17]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.17.jar:5.3.17]
... 64 more
Here is my ProvisioningSecurityConfig.java file. The above log gives exception at line 32 in this code:
@Configuration
@EnableWebSecurity
public class ProvisioningSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(ProvisioningSecurityConfig.class);
@Value("${provision.ldapGroupWithServiceAccess:SERVICE_ACCESS_APP_PROV}")
private String ldapGroupWithServiceAccess;
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info(String.format("provision.ldapGroupWithServiceAccess->%s", ldapGroupWithServiceAccess));
http.csrf().disable();
// Do not create sessions - authenticate user on every request
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
final String relativeProvisionEndpointPattern = VUserUris.ROOT + VUserUris.PROVISION;
final String fullProvisionEndpointPattern = CommonUris.SERVLET_ROOT + relativeProvisionEndpointPattern;
http
.requestMatchers()
.antMatchers(fullProvisionEndpointPattern + "/**", fullProvisionEndpointPattern + "*",
relativeProvisionEndpointPattern + "/**", relativeProvisionEndpointPattern + "*")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.anonymous().disable();
http
.requestMatchers()
.antMatchers(fullProvisionEndpointPattern + "/**", fullProvisionEndpointPattern + "*",
relativeProvisionEndpointPattern + "/**", relativeProvisionEndpointPattern + "*")
.and()
.authorizeRequests()
.anyRequest().hasRole(ldapGroupWithServiceAccess); //line 32
}
@Configuration
protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(AuthenticationConfiguration.class);
@Value("${provision.ldapUrl:ldap://ldapserver:589/}")
private String ldapUrl;
@Value("${provision.ldapUserDnPattern:uid={0},ou=applicationIds,ou=Users,o=vishnu.com}")
private String ldapUserDnPattern;
@Value("${provision.ldapGroupSearchBase:ou=Groups,o=vishnu.com}")
private String ldapGroupSearchBase;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
logger.info(String.format("provision.ldapUrl->%s", ldapUrl));
logger.info(String.format("provision.ldapUserDnPattern->%s", ldapUserDnPattern));
logger.info(String.format("provision.ldapGroupSearchBase->%s", ldapGroupSearchBase));
DefaultSpringSecurityContextSource context = new DefaultSpringSecurityContextSource(ldapUrl);
context.afterPropertiesSet();
auth.ldapAuthentication()
.userDnPatterns(ldapUserDnPattern)
.groupSearchBase(ldapGroupSearchBase)
.contextSource(context);
}
}
}
Upvotes: 0
Views: 681
Answers (1)
Marcus Hert da Coregio
Reputation: 6288
You are calling anyRequest twice, combine your authorization rules into one call, like so:
http
.requestMatchers()
.antMatchers(fullProvisionEndpointPattern + "/**", fullProvisionEndpointPattern + "*",
relativeProvisionEndpointPattern + "/**", relativeProvisionEndpointPattern + "*")
.and()
.authorizeRequests()
.anyRequest().hasRole(ldapGroupWithServiceAccess) // here you have to decide if it is just authenticated() or hasRole(...)
.and()
.httpBasic()
.and()
.anonymous().disable();
Upvotes: 1
Related Questions
- Updating to Spring Security 6.0 - replacing Removed and Deprecated functionality for securing requests
- Spring Boot 3 + Spring Security 6 => 403 Forbidden with "requestMatchers"
- Spring Boot: IllegalStateException after migration from 2.5.7 to 2.6.2 with WebSecurityConfigurerAdapter
- Spring Security Error: java.lang.IllegalStateException: Can't configure anyRequest after itself [SpringBoot update 2.1.4 -> 2.3.11]
- Spring security 5.0 : spring security savedrequest is null
- Spring Security Error: java.lang.IllegalStateException: Can't configure anyRequest after itself
- WebSecurityConfigurerAdapter cofiguration not handles requests correctly
- Spring Security - Is SavedRequestAwareAuthenticationSuccessHandler broke?
- Spring Security Ignores all requests when you should just ignore the OPTIONS requests
- IllegalAccessError when trying to setup Spring Security 4.0.0 with Spring 4.1.6