AuthenticationConfiguration.getAuthenticationManager() supports recursion

AuthenticationConfiguration.getAuthenticationManager() now supports
recursion. This is necessary in instances where something using
@EnableGlobalAuthentication requires an object using method level security.

Fixes gh-3935

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java

@@ -19,9 +19,11 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
 import org.springframework.aop.framework.ProxyFactoryBean;
 import org.springframework.aop.target.LazyInitTargetSource;
 import org.springframework.beans.factory.BeanFactoryUtils;
@@ -34,6 +36,8 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.util.Assert;
 
 /**
@@ -45,6 +49,9 @@ import org.springframework.util.Assert;
  */
 @Configuration
 public class AuthenticationConfiguration {
+
+	private AtomicBoolean buildingAuthenticationManager = new AtomicBoolean();
+
 	private ApplicationContext applicationContext;
 
 	private AuthenticationManager authenticationManager;
@@ -79,11 +86,15 @@ public class AuthenticationConfiguration {
 	}
 
 	public AuthenticationManager getAuthenticationManager() throws Exception {
-		if (authenticationManagerInitialized) {
-			return authenticationManager;
+		if (this.authenticationManagerInitialized) {
+			return this.authenticationManager;
+		}
+		AuthenticationManagerBuilder authBuilder = authenticationManagerBuilder(
+				this.objectPostProcessor);
+		if (this.buildingAuthenticationManager.getAndSet(true)) {
+			return new AuthenticationManagerDelegator(authBuilder);
 		}
 
-		AuthenticationManagerBuilder authBuilder = authenticationManagerBuilder(objectPostProcessor);
 		for (GlobalAuthenticationConfigurerAdapter config : globalAuthConfigurers) {
 			authBuilder.apply(config);
 		}
@@ -157,4 +168,44 @@ public class AuthenticationConfiguration {
 			}
 		}
 	}
+
+	/**
+	 * Prevents infinite recursion in the event that initializing the
+	 * AuthenticationManager.
+	 *
+	 * @author Rob Winch
+	 * @since 4.1.1
+	 */
+	static final class AuthenticationManagerDelegator implements AuthenticationManager {
+		private AuthenticationManagerBuilder delegateBuilder;
+		private AuthenticationManager delegate;
+		private final Object delegateMonitor = new Object();
+
+		AuthenticationManagerDelegator(AuthenticationManagerBuilder delegateBuilder) {
+			Assert.notNull(delegateBuilder, "delegateBuilder cannot be null");
+			this.delegateBuilder = delegateBuilder;
+		}
+
+		@Override
+		public Authentication authenticate(Authentication authentication)
+				throws AuthenticationException {
+			if (this.delegate != null) {
+				return this.delegate.authenticate(authentication);
+			}
+
+			synchronized (this.delegateMonitor) {
+				if (this.delegate == null) {
+					this.delegate = this.delegateBuilder.getObject();
+					this.delegateBuilder = null;
+				}
+			}
+
+			return this.delegate.authenticate(authentication);
+		}
+
+		@Override
+		public String toString() {
+			return "AuthenticationManagerDelegator [delegate=" + this.delegate + "]";
+		}
+	}
 }

config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java

@@ -0,0 +1,119 @@
+/*
+ * Copyright 2012-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.authentication;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+/**
+ * @author Rob Winch
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration
+public class AuthenticationConfigurationGh3935Tests {
+	@Autowired
+	FilterChainProxy springSecurityFilterChain;
+	@Autowired
+	UserDetailsService uds;
+	@Autowired
+	BootGlobalAuthenticationConfigurationAdapter adapter;
+
+	// gh-3935
+	@Test
+	public void loads() {
+		assertThat(this.springSecurityFilterChain).isNotNull();
+	}
+
+	@Test
+	public void delegateUsesExisitingAuthentication() {
+		String username = "user";
+		String password = "password";
+		User user = new User(username, password,
+				AuthorityUtils.createAuthorityList("ROLE_USER"));
+		when(this.uds.loadUserByUsername(username)).thenReturn(user);
+
+		AuthenticationManager authenticationManager = this.adapter.authenticationManager;
+		assertThat(authenticationManager).isNotNull();
+
+		Authentication auth = authenticationManager.authenticate(
+				new UsernamePasswordAuthenticationToken(username, password));
+
+		verify(this.uds).loadUserByUsername(username);
+		assertThat(auth.getPrincipal()).isEqualTo(user);
+	}
+
+	@EnableWebSecurity
+	static class WebSecurity extends WebSecurityConfigurerAdapter {
+	}
+
+	static class BootGlobalAuthenticationConfigurationAdapter
+			extends GlobalAuthenticationConfigurerAdapter {
+		private final ApplicationContext context;
+
+		private AuthenticationManager authenticationManager;
+
+		@Autowired
+		BootGlobalAuthenticationConfigurationAdapter(ApplicationContext context) {
+			this.context = context;
+		}
+
+		@Override
+		public void init(AuthenticationManagerBuilder auth) throws Exception {
+			AuthenticationConfiguration configuration = this.context
+					.getBean(AuthenticationConfiguration.class);
+			this.authenticationManager = configuration.getAuthenticationManager();
+		}
+	}
+
+	@Configuration
+	static class AutoConfig {
+		@Bean
+		static BootGlobalAuthenticationConfigurationAdapter adapter(
+				ApplicationContext context) {
+			return new BootGlobalAuthenticationConfigurationAdapter(context);
+		}
+
+		@Bean
+		public UserDetailsService userDetailsService() {
+			return mock(UserDetailsService.class);
+		}
+	}
+}