Honor @primary for UserDetailsService and UserDetailsPasswordService in InitializeUserDetailsBeanManagerConfigurer (#17902)

Signed-off-by: Siva Sai Udayagiri <[email protected]>

Author: siva-sai-udaygiri

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/InitializeUserDetailsBeanManagerConfigurer.java

@@ -6,12 +6,6 @@
  * You may obtain a copy of the License at
  *
  *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
  */
 
 package org.springframework.security.config.annotation.authentication.configuration;
@@ -21,7 +15,6 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
@@ -34,15 +27,15 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 /**
- * Lazily initializes the global authentication with a {@link UserDetailsService}. If
- * multiple beans of that type exist, the container's autowire rules are used to select a
- * single candidate (e.g. {@code @Primary}). If no single candidate can be resolved, the
- * configurer logs a warning and does not auto-wire. Optionally wires a
- * {@link PasswordEncoder}, {@link UserDetailsPasswordService}, and
- * {@link CompromisedPasswordChecker} when available.
+ * Lazily initializes the global authentication with a {@link UserDetailsService}
+ * if it is not yet configured. Honors {@code @Primary} when multiple
+ * {@link UserDetailsService} (or {@link UserDetailsPasswordService}) beans are present.
+ * If a single {@link PasswordEncoder} or {@link CompromisedPasswordChecker} bean is
+ * available, those are wired as well.
  *
  * @author Rob Winch
  * @author Ngoc Nhan
+ * @author You
  * @since 4.1
  */
 @Order(InitializeUserDetailsBeanManagerConfigurer.DEFAULT_ORDER)
@@ -68,33 +61,54 @@ class InitializeUserDetailsManagerConfigurer extends GlobalAuthenticationConfigu
 		@Override
 		public void configure(AuthenticationManagerBuilder auth) {
 			String[] beanNames = InitializeUserDetailsBeanManagerConfigurer.this.context
-				.getBeanNamesForType(UserDetailsService.class);
+					.getBeanNamesForType(UserDetailsService.class);
 
+			// If user configured an AuthenticationProvider already, warn and bail
+			if (auth.isConfigured()) {
+				if (beanNames.length > 0) {
+					this.logger.warn(
+							"Global AuthenticationManager configured with an AuthenticationProvider bean. "
+									+ "UserDetailsService beans will not be used by Spring Security for automatically configuring username/password login. "
+									+ "Consider removing the AuthenticationProvider bean or configure DaoAuthenticationProvider manually.");
+				}
+				return;
+			}
+
+			// No UDS beans — nothing to do
 			if (beanNames.length == 0) {
 				return;
 			}
 
-			if (auth.isConfigured()) {
-				this.logger.warn("Global AuthenticationManager configured with an AuthenticationProvider bean. "
-						+ "UserDetailsService beans will not be used by Spring Security for automatically configuring username/password login. "
-						+ "Consider removing the AuthenticationProvider bean. "
-						+ "Alternatively, consider using the UserDetailsService in a manually instantiated DaoAuthenticationProvider. "
-						+ "If the current configuration is intentional, to turn off this warning, "
-						+ "increase the logging level of 'org.springframework.security.config.annotation.authentication.configuration.InitializeUserDetailsBeanManagerConfigurer' to ERROR");
+			/*
+			 * Try to resolve a single autowire-candidate UDS from the container.
+			 * getIfAvailable() returns:
+			 *  - the bean if there is exactly one, or
+			 *  - the @Primary bean if there are multiple and one is marked primary,
+			 *  - otherwise null.
+			 */
+			UserDetailsService userDetailsService = getAutowireCandidateOrNull(UserDetailsService.class);
+
+			// If still ambiguous and we have multiple beans, keep current (warn + skip)
+			if (userDetailsService == null && beanNames.length > 1) {
+				this.logger.warn(LogMessage.format(
+						"Found %s UserDetailsService beans, with names %s. "
+								+ "Global Authentication Manager will not use a UserDetailsService for username/password login. "
+								+ "Consider publishing a single (or @Primary) UserDetailsService bean.",
+						beanNames.length, Arrays.toString(beanNames)));
 				return;
 			}
 
-			UserDetailsService userDetailsService = getBeanIfUnique(UserDetailsService.class);
+			// If there is exactly one bean and getIfAvailable returned null (shouldn't happen),
+			// fall back to retrieving that single bean by name.
 			if (userDetailsService == null) {
-				this.logger.warn(LogMessage.format("Found %s UserDetailsService beans, with names %s. "
-						+ "Global Authentication Manager will not use a UserDetailsService for username/password login. "
-						+ "Consider publishing a single (or primary) UserDetailsService bean.", beanNames.length,
-						Arrays.toString(beanNames)));
-				return;
+				userDetailsService = InitializeUserDetailsBeanManagerConfigurer.this.context
+						.getBean(beanNames[0], UserDetailsService.class);
 			}
 
 			PasswordEncoder passwordEncoder = getBeanIfUnique(PasswordEncoder.class);
+			// Honor @Primary for UDPS as well
 			UserDetailsPasswordService passwordManager = getAutowireCandidateOrNull(UserDetailsPasswordService.class);
+			// Keep "unique only" semantics for optional checker
 			CompromisedPasswordChecker passwordChecker = getBeanIfUnique(CompromisedPasswordChecker.class);
 
 			DaoAuthenticationProvider provider = new DaoAuthenticationProvider(userDetailsService);
@@ -108,48 +122,20 @@ public void configure(AuthenticationManagerBuilder auth) {
 				provider.setCompromisedPasswordChecker(passwordChecker);
 			}
 			provider.afterPropertiesSet();
+
 			auth.authenticationProvider(provider);
 
-			String selectedName = resolveBeanName(beanNames, userDetailsService);
 			this.logger.info(LogMessage.format(
-					"Global AuthenticationManager configured with UserDetailsService bean with name %s", selectedName));
+					"Global AuthenticationManager configured with UserDetailsService bean (auto-selected)."));
 		}
 
-		/**
-		 * Resolve a single autowire candidate for the given type (honors
-		 * {@code @Primary}). Returns {@code null} if ambiguous or not present.
-		 */
 		private <T> T getAutowireCandidateOrNull(Class<T> type) {
-			try {
-				return InitializeUserDetailsBeanManagerConfigurer.this.context.getBeanProvider(type).getIfAvailable();
-			}
-			catch (BeansException ex) {
-				return null;
-			}
+			return InitializeUserDetailsBeanManagerConfigurer.this.context.getBeanProvider(type).getIfAvailable();
 		}
 
-		/**
-		 * Return a bean of the requested class if there's exactly one registered
-		 * component; {@code null} otherwise.
-		 */
 		private <T> T getBeanIfUnique(Class<T> type) {
 			return InitializeUserDetailsBeanManagerConfigurer.this.context.getBeanProvider(type).getIfUnique();
 		}
-
-		private String resolveBeanName(String[] candidates, Object instance) {
-			for (String name : candidates) {
-				try {
-					Object bean = InitializeUserDetailsBeanManagerConfigurer.this.context.getBean(name);
-					if (bean == instance) {
-						return name;
-					}
-				}
-				catch (BeansException ignored) {
-				}
-			}
-			return instance.getClass().getName();
-		}
-
 	}
 
 }

config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/InitializeUserDetailsBeanManagerConfigurerTests.java

@@ -6,12 +6,6 @@
  * You may obtain a copy of the License at
  *
  *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
  */
 
 package org.springframework.security.config.annotation.authentication.configuration;
@@ -44,9 +38,7 @@ class InitializeUserDetailsBeanManagerConfigurerTests {
 	private static ObjectPostProcessor<Object> opp() {
 		return new ObjectPostProcessor<>() {
 			@Override
-			public <O> O postProcess(O object) {
-				return object;
-			}
+			public <O> O postProcess(O object) { return object; }
 		};
 	}
 
@@ -62,42 +54,43 @@ void whenMultipleUdsAndOneResolvableCandidate_thenPrimaryIsAutoWired() throws Ex
 				User.withUsername("alice").passwordEncoder(encoder::encode).password("pw").roles("USER").build());
 		InMemoryUserDetailsManager secondary = new InMemoryUserDetailsManager();
 
-		ObjectProvider<UserDetailsService> udsProvider = (ObjectProvider<UserDetailsService>) mock(
-				ObjectProvider.class);
+		ObjectProvider<UserDetailsService> udsProvider =
+				(ObjectProvider<UserDetailsService>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(UserDetailsService.class)).willReturn(udsProvider);
-		given(udsProvider.getIfUnique()).willReturn(primary); // container picks single
-																// candidate
+		given(udsProvider.getIfAvailable()).willReturn(primary); // container picks single candidate
 
 		// resolveBeanName(..) path
 		given(ctx.getBean("udsA")).willReturn(secondary);
 		given(ctx.getBean("udsB")).willReturn(primary);
 
-		ObjectProvider<PasswordEncoder> peProvider = (ObjectProvider<PasswordEncoder>) mock(ObjectProvider.class);
+		ObjectProvider<PasswordEncoder> peProvider =
+				(ObjectProvider<PasswordEncoder>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(PasswordEncoder.class)).willReturn(peProvider);
 		given(peProvider.getIfUnique()).willReturn(encoder);
 
 		// Stub optional providers to avoid NPEs
-		ObjectProvider<UserDetailsPasswordService> udpsProvider = (ObjectProvider<UserDetailsPasswordService>) mock(
-				ObjectProvider.class);
+		ObjectProvider<UserDetailsPasswordService> udpsProvider =
+				(ObjectProvider<UserDetailsPasswordService>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(UserDetailsPasswordService.class)).willReturn(udpsProvider);
 		given(udpsProvider.getIfAvailable()).willReturn(null);
 
-		ObjectProvider<CompromisedPasswordChecker> cpcProvider = (ObjectProvider<CompromisedPasswordChecker>) mock(
-				ObjectProvider.class);
+		ObjectProvider<CompromisedPasswordChecker> cpcProvider =
+				(ObjectProvider<CompromisedPasswordChecker>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(CompromisedPasswordChecker.class)).willReturn(cpcProvider);
 		given(cpcProvider.getIfUnique()).willReturn(null);
 
 		AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder(opp());
-		new InitializeUserDetailsBeanManagerConfigurer(ctx).new InitializeUserDetailsManagerConfigurer()
-			.configure(builder);
+		new InitializeUserDetailsBeanManagerConfigurer(ctx)
+				.new InitializeUserDetailsManagerConfigurer()
+				.configure(builder);
 
 		AuthenticationManager manager = builder.build();
 
 		// DaoAuthenticationProvider registered
 		assertThat(manager).isInstanceOf(ProviderManager.class);
 		List<?> providers = ((ProviderManager) manager).getProviders();
 		assertThat(providers)
-			.anySatisfy((p) -> assertThat(p.getClass().getSimpleName()).isEqualTo("DaoAuthenticationProvider"));
+				.anySatisfy((p) -> assertThat(p.getClass().getSimpleName()).isEqualTo("DaoAuthenticationProvider"));
 
 		// Auth works with the primary UDS + encoder
 		var auth = manager.authenticate(new UsernamePasswordAuthenticationToken("alice", "pw"));
@@ -110,30 +103,31 @@ void whenMultipleUdsAndNoSingleCandidate_thenSkipAutoWiring() throws Exception {
 		ApplicationContext ctx = mock(ApplicationContext.class);
 		given(ctx.getBeanNamesForType(UserDetailsService.class)).willReturn(new String[] { "udsA", "udsB" });
 
-		ObjectProvider<UserDetailsService> udsProvider = (ObjectProvider<UserDetailsService>) mock(
-				ObjectProvider.class);
+		ObjectProvider<UserDetailsService> udsProvider =
+				(ObjectProvider<UserDetailsService>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(UserDetailsService.class)).willReturn(udsProvider);
-		given(udsProvider.getIfAvailable()).willReturn(null); // ambiguous → no single
-																// candidate
+		given(udsProvider.getIfAvailable()).willReturn(null); // ambiguous → no single candidate
 
 		// Also stub other providers to null
-		ObjectProvider<PasswordEncoder> peProvider = (ObjectProvider<PasswordEncoder>) mock(ObjectProvider.class);
+		ObjectProvider<PasswordEncoder> peProvider =
+				(ObjectProvider<PasswordEncoder>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(PasswordEncoder.class)).willReturn(peProvider);
 		given(peProvider.getIfUnique()).willReturn(null);
 
-		ObjectProvider<UserDetailsPasswordService> udpsProvider = (ObjectProvider<UserDetailsPasswordService>) mock(
-				ObjectProvider.class);
+		ObjectProvider<UserDetailsPasswordService> udpsProvider =
+				(ObjectProvider<UserDetailsPasswordService>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(UserDetailsPasswordService.class)).willReturn(udpsProvider);
 		given(udpsProvider.getIfAvailable()).willReturn(null);
 
-		ObjectProvider<CompromisedPasswordChecker> cpcProvider = (ObjectProvider<CompromisedPasswordChecker>) mock(
-				ObjectProvider.class);
+		ObjectProvider<CompromisedPasswordChecker> cpcProvider =
+				(ObjectProvider<CompromisedPasswordChecker>) mock(ObjectProvider.class);
 		given(ctx.getBeanProvider(CompromisedPasswordChecker.class)).willReturn(cpcProvider);
 		given(cpcProvider.getIfUnique()).willReturn(null);
 
 		AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder(opp());
-		new InitializeUserDetailsBeanManagerConfigurer(ctx).new InitializeUserDetailsManagerConfigurer()
-			.configure(builder);
+		new InitializeUserDetailsBeanManagerConfigurer(ctx)
+				.new InitializeUserDetailsManagerConfigurer()
+				.configure(builder);
 
 		AuthenticationManager manager = builder.build();
 
@@ -143,11 +137,10 @@ void whenMultipleUdsAndNoSingleCandidate_thenSkipAutoWiring() throws Exception {
 		}
 		else if (manager instanceof ProviderManager pm) {
 			assertThat(pm.getProviders())
-				.noneMatch((p) -> p.getClass().getSimpleName().equals("DaoAuthenticationProvider"));
+					.noneMatch((p) -> p.getClass().getSimpleName().equals("DaoAuthenticationProvider"));
 		}
 		else {
 			assertThat(manager.getClass().getSimpleName()).isNotEqualTo("ProviderManager");
 		}
 	}
-
 }