so I create this simple login system application by using Java Spring Boot and use Spring Security for authentication.
This is spec of the application:
- spring tool suite 4.18.0.RELEASE
- spring security 6
- using java 17
- built on top linux ubuntu 22.04
- thymeleaf
application.propertiesis already located inresourcefolder by default inSBTLEmpManSys/src/main/resources- I package this works into executable jar file by using maven build feature given by STS (spring tool suite)
When I want to use WebSecurityConfigurerAdapter for my SecurityConfiguration.java the IDE did not offer the option. It offer WebSecurityConfiguration instead so I use it. Turn out it gives circular reference.
This is the diagram:
The dependencies of some of the beans in the application context form a cycle:
┌─────┐
| securityConfiguration (field private org.springframework.security.config.annotation.web.builders.HttpSecurity org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.httpSecurity)
↑ ↓
| org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.httpSecurity defined in class path resource [org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.class]
└─────┘
I handle this problem by setting spring.main.allow-circular-reference=true in application.properties for temporary solution to complete my work. But this problem will reappear in executable .jar file
On the other hand, I need this security configuration file to provide BCryptPasswordEncoder for my service implementation file EmpServiceImpl.java.
I have tried to use @Lazy here and there but there is no effect. I also tried figure out solution for this problem through google & this forum but still can not solve it.
Does anyone can help? This is really give me a headache.
Here are my files.
This is the security configuration
package com.kastamer.sbtl.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.annotation.PropertySource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import com.kastamer.sbtl.service.EmpService;
@Configuration
@PropertySource(value = "classpath:application.properties")
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfiguration {
// public EmpService empService;
// @Lazy --> NO EFFECT
@Bean
public BCryptPasswordEncoder passwordEncoder() {
// TODO Auto-generated method stub
return new BCryptPasswordEncoder();
}
// @Lazy --> NO EFFECT
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
// TODO Auto-generated method stub
AuthenticationManagerBuilder authManBuild = http.getSharedObject(AuthenticationManagerBuilder.class);
http.authorizeHttpRequests((requests) -> requests.requestMatchers(
"/registrasi",
"/js**",
"/css**",
"/img**")
.permitAll().anyRequest().authenticated())
.formLogin((form) -> form.loginPage("/login").permitAll())
.logout((logout) -> logout.invalidateHttpSession(true).clearAuthentication(true).logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login?logout").permitAll());
return http.build();
}
}
This is the service implementation:
package com.kastamer.sbtl.service;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageRequest;
import org.springframework.data.domain.Pageable;
import org.springframework.data.domain.Sort;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import com.kastamer.sbtl.model.EmpRole;
import com.kastamer.sbtl.model.Employee;
import com.kastamer.sbtl.repository.EmployeeRepository;
import com.kastamer.sbtl.web.dto.EmpRegistrationDTO;
@Service
public class EmpServiceImpl implements EmpService {
@Autowired
private EmployeeRepository empRepDAO;
@Autowired
private BCryptPasswordEncoder passwordEncoder;
//@Autowired //THIS is ADDITION to AVOID CIRCULAR REFERENCE --> ANNOTATION NO EFFECT
//public EmpServiceImpl(@Lazy EmployeeRepository empRepDAO) { //ANNOTATION '@Lazy' is ADDITION to AVOID CIRCULAR REFERENCE --> ANNOTATION NO EFFECT
public EmpServiceImpl(EmployeeRepository empRepDAO) {
super();
this.empRepDAO = empRepDAO;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// TODO Auto-generated method stub
Employee pegawai = empRepDAO.findByEmail(username);
if (pegawai == null) {
throw new UsernameNotFoundException("Email atau kata sandi tidak cocok!");
}
return new org.springframework.security.core.userdetails.User(pegawai.getEmail(), pegawai.getPassword(), mapRolesToAuthority(pegawai.getRoles())); //return null;
}
@Override
public Employee save(EmpRegistrationDTO empRegistrationDTO) {
// TODO Auto-generated method stub
Employee karyawan = new Employee(
empRegistrationDTO.getFullName(),
empRegistrationDTO.getEmail(),
passwordEncoder.encode(empRegistrationDTO.getPassword()),
Arrays.asList(new EmpRole("ROLE_USER")));
return empRepDAO.save(karyawan); //return null;
}
@Override
public void simpanPembaruanData(Employee employee) {
// TODO Auto-generated method stub
employee.setPassword(passwordEncoder.encode(employee.getPassword()));
this.empRepDAO.save(employee);
}
private Collection<? extends GrantedAuthority> mapRolesToAuthority(Collection<EmpRole> roles) {
// TODO Auto-generated method stub
return roles.stream().map(role -> new SimpleGrantedAuthority(role.getNamaRole())).collect(Collectors.toList());
}
//PART POJOK KARYAWAN
@Override
public List<Employee> getAllEmployees() {
// TODO Auto-generated method stub
return empRepDAO.findAll(); //return null;
}
@Override
public Employee getEmployeeById(long id) {
// TODO Auto-generated method stub
Optional<Employee> optEmp = empRepDAO.findById(id);
Employee empl = null;
if (optEmp.isPresent()) {
empl = optEmp.get();
} else {
throw new RuntimeException("Karyawan dengan emp_id '" + id + "' tidak bisa ditemukan");
}
return empl; //return null;
}
@Override
public void deleteEmployeeById(long id) {
// TODO Auto-generated method stub
this.empRepDAO.deleteById(id);
}
@Override
public Page<Employee> findPaginated(int pageNo, int pageSize, String sortField, String sortAscOrDesc) {
// TODO Auto-generated method stub
Sort runut = sortAscOrDesc.equalsIgnoreCase(Sort.Direction.ASC.name()) ? Sort.by(sortField).ascending() : Sort.by(sortField).descending();
Pageable pageable = PageRequest.of(pageNo - 1, pageSize, runut);
return this.empRepDAO.findAll(pageable); //return null;
}
}
This is the application.properties
# DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties)
spring.datasource.url=jdbc:postgresql://localhost:5432/myDB
spring.datasource.username=[POSTGRES_LOGIN]
spring.datasource.password=[POSTGRES_PASSWORD]
spring.datasource.driver-class-name=org.postgresql.Driver
# The PostgreSQL dialect makes Hibernate generate better Postgresql for the chosen databse
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
# Hibernate ddl auto (create, create-drop, validate, update, none --> 'default')
spring.jpa.hibernate.ddl-auto=update
# Prepare logging-time system for Spring-Boot engine & will print logs in console (also work as work-level to monitor generated HQL in console)
logging.level.org.hibernate.sql=debug
logging.level.org.hibernate.type=trace
#spring.jpa.show-sql=true
# Default user login and password for spring security web login page (if spring security is enabled)
#spring.security.user.name=spring
#spring.security.user.password=spring123
#spring.security.user.roles=USER
spring.main.allow-bean-definition-overriding=true
#spring.main.allow-circular-references=true
2
Answers
You can break the cycle by making the factory method of the password encoder static:
Then the creation of the password encoder no longer depends on an instance of the configuration class being instantiated.
You still using spring-security 6 where
WebSecurityConfigurerAdapterwas deprecated and also many thinks was changed and replaced or deprecated. You must remove it and rewrite your security layer.Have a look to next ones source that can help you to fix it:
Migration
spring-security-without-the-websecurityconfigureradapter