Apparent Spring Boot race condition causing duplicate springSecurityFilterChain registration

Question

I have a REST-full web service implemented with Spring Boot 1.2.0-RELEASE that occasionally throws the following exception on startup.

03-Feb-2015 11:42:23.697 S         


        

Answer 1

Following spring boot documentation you should disable the default security configuration loaded by spring boot by adding annotation @EnableWebMvcSecurity in your app configuration (see 75.2 Change the AuthenticationManager and add user accounts) and than you should configure a web security adapter like this:

@Bean
WebSecurityConfigurerAdapter webSecurityAdapter() {
   WebSecurityConfigurerAdapter adapter = new WebSecurityConfigurerAdapter() {
            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http....

Answer 2

I think you must have a concrete subclass of AbstractSecurityWebApplicationInitializer in your application. Spring's Servlet 3.0 support will find this WebApplicationInitializer implementation and call it when Tomcat starts your app. This triggers an attempt to register Spring Security's filter. You also have your WebXml class that extends SpringBootServletInitializer. This too is a WebApplicationInitializer that will be getting called when Tomcat starts your app. Due to Spring Boot's auto-configuration support this also triggers an attempt to register Spring Security's filter.

Your WebXml class does not declare an order (it doesn't implement Spring's Ordered interface and it isn't annotated with @Order). I would guess that the same is true of your AbstractSecurityWebApplicationInitializer subclass. This means that they both have the same order (the default) so Spring is free to call them in any order. Your application works when your AbstractSecurityWebApplicationInitializer subclass goes first as Spring Boot is tolerant of the filter already being there. If fails when Spring Boot goes first as AbstractSecurityWebApplicationInitializer is not so tolerant.

Having said all of this, as you're using Spring Boot you may not even need your AbstractSecurityWebApplicationInitializer so the simplest solution is probably to delete it. If you do need it, then you should assign both it and WebXml an order (annotate with @Order or implement Ordered) so that WebXml is guaranteed to always be called after your AbstractSecurityWebApplicationInitializer subclass.