fix(componentbased): add per-UDS DaoAuthenticationProvider instead of mutating the existing one

jamesfredley · jamesfredley · commit fbc7f8a840cd · 2026-04-25T16:04:32.000-04:00
The previous commit attempted to wire a chained UserDetailsService into
the existing `daoAuthenticationProvider` via property assignment. That
worked in pre-Spring-Security-7 but Spring Security 7 made
`DaoAuthenticationProvider.userDetailsService` a final
constructor-only field, so the assignment fails at startup with:

    groovy.lang.ReadOnlyPropertyException: Cannot set readonly property:
    userDetailsService for class:
    org.springframework.security.authentication.dao.DaoAuthenticationProvider

This caused `ldap-examples-functional-test-app:integrationTest` to fail
the application context startup (the LDAP example app exposes an
`ldapUserDetailsService` bean which the blender then tried to chain).

Fix: instead of mutating the existing `daoAuthenticationProvider`,
create a NEW `DaoAuthenticationProvider` per additional
`UserDetailsService` (each preserving the existing application
`passwordEncoder` if present) and append them to the
`authenticationManager` providers list. The plugin's primary
GORM-backed provider remains first, so the GORM lookup still wins for
known users; if that throws an authentication exception, each
additional provider is tried in turn.

Same observable behaviour, no readonly-field mutation. Verified locally:

  ./gradlew :ldap-examples-functional-test-app:integrationTest --rerun-tasks
  -&gt; BUILD SUCCESSFUL

Docs (Javadoc, README, installation.adoc) updated to describe the
per-UDS-provider approach and to call out the final-field constraint
that motivated it.

Assisted-by: claude-code:claude-4.6-opus
diff --git a/README.md b/README.md
@@ -64,8 +64,8 @@ Spring Security 5.7 deprecated and Spring Security 6 removed `WebSecurityConfigu
 |---|---|---|
 | `@Bean SecurityFilterChain` | **Auto-merged** into the plugin's `FilterChainProxy`; user chains are prepended (higher precedence) so their typically more-specific request matchers win against the plugin's catch-all chain. | `grails.plugin.springsecurity.componentBased.autoMergeSecurityFilterChain: false` |
 | `@Bean AuthenticationProvider` | **Auto-merged** into the plugin's `authenticationManager` (`ProviderManager`); user providers are appended so the plugin's primary GORM-backed provider runs first; providers already declared via `providerNames` are not re-added. | `grails.plugin.springsecurity.componentBased.autoMergeAuthenticationProviders: false` |
-| `@Bean InMemoryUserDetailsManager` / `JdbcUserDetailsManager` (or any extra `UserDetailsService`) | **Auto-chained** behind the plugin's primary `GormUserDetailsService`; queried in bean-name order if the GORM lookup throws `UsernameNotFoundException`. The chained service is wired into `daoAuthenticationProvider`. | `grails.plugin.springsecurity.componentBased.autoChainUserDetailsServices: false` |
-| `spring.security.user.name` / `spring.security.user.password` / `spring.security.user.roles` | If `spring.security.user.name` is set, an `InMemoryUserDetailsManager` is created from those properties (mimicking what Spring Boot's `UserDetailsServiceAutoConfiguration` would have done) and chained behind the plugin's primary user lookup. | `grails.plugin.springsecurity.componentBased.bridgeSpringSecurityUserProperties: false` |
+| `@Bean InMemoryUserDetailsManager` / `JdbcUserDetailsManager` (or any extra `UserDetailsService`) | For each additional `UserDetailsService` bean, a new `DaoAuthenticationProvider` is created and **appended** to the plugin's `authenticationManager` providers list. The plugin's primary GORM-backed provider runs first; if it does not authenticate the user, each additional provider is tried in turn. (Spring Security 7 made `DaoAuthenticationProvider.userDetailsService` final, so we add new providers instead of mutating the existing one.) | `grails.plugin.springsecurity.componentBased.autoChainUserDetailsServices: false` |
+| `spring.security.user.name` / `spring.security.user.password` / `spring.security.user.roles` | If `spring.security.user.name` is set, an `InMemoryUserDetailsManager` is created from those properties (mimicking what Spring Boot's `UserDetailsServiceAutoConfiguration` would have done), wrapped in a `DaoAuthenticationProvider`, and added to the plugin's authenticationManager. | `grails.plugin.springsecurity.componentBased.bridgeSpringSecurityUserProperties: false` |
 | `@Bean WebSecurityCustomizer` | Still a no-op. The plugin does not use Spring's `WebSecurity` builder. To exclude URLs from security checks, use `grails.plugin.springsecurity.staticRules` with `permitAll`, or `grails.plugin.springsecurity.ipRestrictions`. | n/a |
 | `@Bean AuthenticationManager` | Conflicts with the plugin's `authenticationManager` (`ProviderManager`) bean by name. Use `@Bean AuthenticationProvider` (auto-merged - see above) or `grails.plugin.springsecurity.providerNames` instead. | n/a |
 | LDAP factory beans (`EmbeddedLdapServerContextSourceFactoryBean`, `LdapBindAuthenticationManagerFactory`, `LdapPasswordComparisonAuthenticationManagerFactory`) | Coexist but are not wired into the plugin's authentication providers. | Use the `grails-spring-security-ldap` plugin and the `grails.plugin.springsecurity.ldap.*` configuration. |
diff --git a/plugin-core/docs/src/docs/introduction/installation.adoc b/plugin-core/docs/src/docs/introduction/installation.adoc
@@ -95,11 +95,11 @@ Spring Security 5.7 deprecated and Spring Security 6 removed `WebSecurityConfigu
 | `grails.plugin.springsecurity.componentBased.autoMergeAuthenticationProviders: false`
 
 | `@Bean InMemoryUserDetailsManager` / `JdbcUserDetailsManager` (or any extra `UserDetailsService`)
-| *Auto-chained* behind the plugin's primary `GormUserDetailsService`; queried in bean-name order if the GORM lookup throws `UsernameNotFoundException`. The chained service is wired into `daoAuthenticationProvider`.
+| For each additional `UserDetailsService` bean, a new `DaoAuthenticationProvider` is created and *appended* to the plugin's `authenticationManager` providers list. The plugin's primary GORM-backed provider runs first; if it does not authenticate the user, each additional provider is tried in turn. (Spring Security 7 made `DaoAuthenticationProvider.userDetailsService` final, so we add new providers instead of mutating the existing one.)
 | `grails.plugin.springsecurity.componentBased.autoChainUserDetailsServices: false`
 
 | `spring.security.user.name` / `spring.security.user.password` / `spring.security.user.roles`
-| If `spring.security.user.name` is set, an `InMemoryUserDetailsManager` is created from those properties (mimicking what Spring Boot's `UserDetailsServiceAutoConfiguration` would have done) and chained behind the plugin's primary user lookup.
+| If `spring.security.user.name` is set, an `InMemoryUserDetailsManager` is created from those properties (mimicking what Spring Boot's `UserDetailsServiceAutoConfiguration` would have done), wrapped in a `DaoAuthenticationProvider`, and added to the plugin's authenticationManager.
 | `grails.plugin.springsecurity.componentBased.bridgeSpringSecurityUserProperties: false`
 
 | `@Bean WebSecurityCustomizer`
diff --git a/plugin-core/plugin/src/main/groovy/grails/plugin/springsecurity/SecurityAutoConfigurationExcluder.groovy b/plugin-core/plugin/src/main/groovy/grails/plugin/springsecurity/SecurityAutoConfigurationExcluder.groovy
@@ -101,23 +101,25 @@ import org.springframework.core.env.Environment
  *       {@code grails.plugin.springsecurity.componentBased.autoMergeAuthenticationProviders: false}.</li>
  *   <li><strong>{@code @Bean UserDetailsManager} /
  *       {@code InMemoryUserDetailsManager} /
- *       {@code JdbcUserDetailsManager}</strong> - additional
- *       {@code UserDetailsService} beans are <strong>auto-chained</strong>
- *       behind the plugin's primary {@code GormUserDetailsService} via
- *       {@link grails.plugin.springsecurity.componentbased.ChainedUserDetailsService}.
- *       The plugin's GORM-backed user lookup runs first; if it throws
- *       {@code UsernameNotFoundException}, each additional bean is queried in
- *       turn. The chained service is wired into
- *       {@code daoAuthenticationProvider}. Disable via
+ *       {@code JdbcUserDetailsManager}</strong> - for each additional
+ *       {@code UserDetailsService} bean, a new
+ *       {@code DaoAuthenticationProvider} is created and appended to the
+ *       plugin's {@code authenticationManager} providers list. The plugin's
+ *       primary GORM-backed provider runs first; if it does not authenticate
+ *       the user, each additional provider is tried in turn. (We cannot
+ *       rewire the existing {@code daoAuthenticationProvider} because Spring
+ *       Security 7 made its {@code userDetailsService} a final
+ *       constructor-only field.) Disable via
  *       {@code grails.plugin.springsecurity.componentBased.autoChainUserDetailsServices: false}.</li>
  *   <li><strong>{@code spring.security.user.name} /
  *       {@code spring.security.user.password} /
  *       {@code spring.security.user.roles}</strong> - if
  *       {@code spring.security.user.name} is set, an
  *       {@code InMemoryUserDetailsManager} is created from those properties
  *       (mimicking what Spring Boot's
- *       {@code UserDetailsServiceAutoConfiguration} would have done) and
- *       chained behind the plugin's primary user lookup. Disable via
+ *       {@code UserDetailsServiceAutoConfiguration} would have done), wrapped
+ *       in a {@code DaoAuthenticationProvider} and added to the plugin's
+ *       authenticationManager. Disable via
  *       {@code grails.plugin.springsecurity.componentBased.bridgeSpringSecurityUserProperties: false}.</li>
  *   <li><strong>LDAP factory beans
  *       ({@code EmbeddedLdapServerContextSourceFactoryBean},
diff --git a/plugin-core/plugin/src/main/groovy/grails/plugin/springsecurity/SpringSecurityCoreGrailsPlugin.groovy b/plugin-core/plugin/src/main/groovy/grails/plugin/springsecurity/SpringSecurityCoreGrailsPlugin.groovy
@@ -25,7 +25,6 @@ import grails.plugin.springsecurity.access.vote.ClosureVoter
 import grails.plugin.springsecurity.authentication.GrailsAnonymousAuthenticationProvider
 import grails.plugin.springsecurity.authentication.NullAuthenticationEventPublisher
 import grails.plugin.springsecurity.cache.SpringUserCacheFactoryBean
-import grails.plugin.springsecurity.componentbased.ChainedUserDetailsService
 import grails.plugin.springsecurity.componentbased.ComponentBasedConfigBlender
 import grails.plugin.springsecurity.userdetails.DefaultPostAuthenticationChecks
 import grails.plugin.springsecurity.userdetails.DefaultPreAuthenticationChecks
@@ -810,9 +809,17 @@ to default to 'Annotation'; setting value to 'Annotation'
 			}
 
 			if (additional) {
-				def chained = new ChainedUserDetailsService([primary] + additional)
-				applicationContext.daoAuthenticationProvider.userDetailsService = chained
-				log.info 'Wired chained UserDetailsService into daoAuthenticationProvider (primary GORM + {} additional)', additional.size()
+				def passwordEncoder = applicationContext.containsBean('passwordEncoder') ? applicationContext.passwordEncoder : null
+				List<DaoAuthenticationProvider> additionalProviders = additional.collect { UserDetailsService uds ->
+					def provider = new DaoAuthenticationProvider(uds)
+					if (passwordEncoder != null) {
+						provider.passwordEncoder = passwordEncoder
+					}
+					provider
+				}
+				applicationContext.authenticationManager.providers.addAll additionalProviders
+				log.info 'Added {} DaoAuthenticationProvider(s) for additional UserDetailsService sources to authenticationManager (the plugin GORM-backed provider remains primary)',
+						additionalProviders.size()
 			}
 		}
 	}
