Skip to content

Cannot add security configurers during builder initialization #17011

New issue
New issue
Open
#17020
Open
Cannot add security configurers during builder initialization#17011
#17020
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@heruan

Description

@heruan
heruan
opened on Apr 29, 2025

Describe the bug
If a security configurer is added during builder's initializing lifecycle phase, if such configurer adds any other configurer to the builder then a ConcurrentModificationException is thrown at

spring-security/config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

Lines 389 to 391 in 9df3a57

for (SecurityConfigurer<O, B> configurer : this.configurersAddedInInitializing) {
configurer.init((B) this);
}

since configurersAddedInInitializing is being modified at

spring-security/config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

Lines 234 to 236 in 9df3a57

if (this.buildState.isInitializing()) {
this.configurersAddedInInitializing.add(configurer);
}

To Reproduce
Running this configuration:

@Configuration
@EnableWebSecurity
public class DemoSecurity {

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.with(new FooConfigurer(), Customizer.withDefaults()).build();
    }

    static class FooConfigurer extends AbstractHttpConfigurer<FooConfigurer, HttpSecurity> {

        @Override
        public void init(HttpSecurity http) throws Exception {
            http.with(new BarConfigurer(), Customizer.withDefaults());
        }
    }

    static class BarConfigurer extends AbstractHttpConfigurer<BarConfigurer, HttpSecurity> {

        @Override
        public void init(HttpSecurity http) throws Exception {
            http.formLogin(login -> login.loginPage("/login"));
        }
    }
}

throws:

java.util.ConcurrentModificationException: null
        at java.base/java.util.ArrayList$Itr.checkForComodification(ArrayList.java:1096) ~[na:na]
        at java.base/java.util.ArrayList$Itr.next(ArrayList.java:1050) ~[na:na]
        at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:389) ~[spring-security-config-6.4.5.jar:6.4.5]
        at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:349) ~[spring-security-config-6.4.5.jar:6.4.5]
        at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-6.4.5.jar:6.4.5]

Expected behavior
Since adding configurers during builder's initializing lifecycle phase is supported, I would expect it to allow this also for configurers that add others during initialization. The provided example is minimal, but on a more realistic scenario a custom configurer from a library might need to add others during its initialization.

Sample

https://github.com/heruan/spring-security-configurers

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions