StackOverflowError in Spring Security AuthenticationManager

Hiii
Im encountering a StackOverflowError in my Spring Security configuration

I have a custom Spring Security configuration in my application, and it seems like the issue is related to the AuthenticationManager. I’ve already ruled out any internal Spring errors and have thoroughly reviewed my code and configuration.

java.lang.StackOverflowError: null at java.base/java.lang.reflect.Method.invoke(Method.java:562) ~[na:na] ...

Here’s a simplified snippet of my Spring Security configuration:

@Configuration
@EnableMethodSecurity(securedEnabled = true)
public class SecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf(AbstractHttpConfigurer::disable)
            .cors(Customizer.withDefaults())
            .authorizeHttpRequests(customizeRequest -> {
                customizeRequest
                    .anyRequest().permitAll();
            })
            .httpBasic(Customizer.withDefaults());

        return http.build();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
        return configuration.getAuthenticationManager();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

I also have a LogUserController in my application that handles user authentication via a POST request. Here’s a snippet of the relevant code:

@RestController
@RequestMapping("log/auth")
public class LogUserController {
    private final AuthenticationManager authenticationManager;
    private final JwtUtil jwtUtil;
    private final UserAppRepository userAppRepository;

    @Autowired
    public LogUserController(AuthenticationManager authenticationManager, JwtUtil jwtUtil, UserAppRepository userAppRepository) {
        this.authenticationManager = authenticationManager;
        this.jwtUtil = jwtUtil;
        this.userAppRepository = userAppRepository;
    }

    @PostMapping("/login")
    public ResponseEntity<?> login(@RequestBody LoginDto loginDto) {
        UsernamePasswordAuthenticationToken login = new UsernamePasswordAuthenticationToken(loginDto.getEmail(), loginDto.getPassword());
        Authentication authentication = this.authenticationManager.authenticate(login);

        UserDetails userDetails = (UserDetails) userAppRepository.findByEmail(loginDto.getEmail());

        String jwt = this.jwtUtil.create(userDetails.getUsername());

        return ResponseEntity.ok().header(HttpHeaders.AUTHORIZATION, jwt).build();
    }
}

And this is my JwtUtil:

@Component
public class JwtUtil {
    private static String SECRET_KEY = "B9F1498B64CF22D91128C212C8A31";
    private static Algorithm ALGORITHM = Algorithm.HMAC256(SECRET_KEY);


    public String create(String email) {
        return JWT.create()
                .withSubject(email)
                .withIssuer("pizzeria-pepe-INC")
                .withIssuedAt(new Date())
                .withExpiresAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(15)))
                .sign(ALGORITHM);
    }

}

Any help for this novice is welcome:)

I’m facing an issue with my Spring Security configuration. I have a custom authentication setup using JWT tokens, and when I make a POST request to the ‘/login’ endpoint, I’m encountering a java.lang.StackOverflowError. Here’s what I’ve tried:

Reviewed my Spring Security configuration (SecurityConfig class).
Checked for circular dependencies or recursive calls in my authentication logic.
Verified that there are no issues with my JWT token creation in JwtUtil class.
Ensured that my UserDetailsService implementation (UserAppService) is correctly configured.

  • It seems like maybe the AutheniticationConfiguration used to create your AuthenticationManager bean just ends up publishing the very same bean

    – 

  • If you want help, here is some. Whatever blogpost you are following, stop following it. Handing out JWTs directly to browsers is a security risk and should not be done. JWTs were designed to be used to authorize between micro services, not from browsers. If you want to learn spring security i suggest you try to implement FormLogin from the documentation. All tutorials that hand out jwts to browsers are written by ppl that have no idea how security works.

    – 




Leave a Comment