I’m encountering a warning when starting my Spring Boot application with Spring Security configuration. The warning message is:
WARN [ restartedMain] r$InitializeUserDetailsManagerConfigurer : Global AuthenticationManager configured with an AuthenticationProvider bean. UserDetailsService beans will not be used for username/password login. Consider removing the AuthenticationProvider bean. Alternatively, consider using the UserDetailsService in a manually instantiated DaoAuthenticationProvider.
I’ve configured JWT-based authentication in my Spring Boot application. Here are the relevant parts of my configuration:
SecurityFilterChain:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authorize ->
authorize
.requestMatchers("/assets/**", "/css/**", "/images/**", "/js/**").permitAll()
.requestMatchers("/", "/about", "/contact").permitAll()
.requestMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
)
.sessionManagement(session -> session.sessionCreationPolicy(STATELESS))
.authenticationProvider(authenticationProvider)
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
Relevant part of ApplicationBeanConfiguration:
@Configuration
public class ApplicationBeanConfiguration {
private final UserRepository userRepository;
public ApplicationBeanConfiguration(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Bean
public UserDetailsService userDetailsService() {
return username -> userRepository.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("User not found"));
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService());
authProvider.setPasswordEncoder(passwordEncoder());
return authProvider;
}
}
The warning persists regardless of whether I include or exclude the AuthenticationProvider bean. The application starts with the warning, indicating that the AuthenticationProvider configuration might be conflicting with UserDetailsService.
The warning suggests that my setup might be incorrectly configured. Specifically, it indicates that the AuthenticationProvider bean is overriding the UserDetailsService, which could lead to issues with username/password authentication.
How should I correctly configure Spring Security to avoid this warning?
Hyusein Lesho is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.