Analysis and Resolution of Bean Creation Exception Caused by Duplicate Usernames in Spring Security Configuration

Dec 03, 2025 · Programming · 12 views · 7.8

Keywords: Spring Security | Bean Creation Exception | In-Memory Authentication | Duplicate Username | Configuration Issues

Abstract: This paper provides an in-depth analysis of the 'Error creating bean with name \'springSecurityFilterChain\'' exception caused by duplicate usernames in Spring Security configuration. By examining the stack trace, the article identifies the assertion failure in the InMemoryUserDetailsManager.createUser() method and offers detailed solutions. It also discusses Spring Security's in-memory authentication mechanism, configuration best practices, and how to avoid common configuration pitfalls.

Problem Background and Exception Analysis

During Spring Security configuration, developers often encounter various bean creation exceptions. In the case discussed in this article, a user configuring in-memory user authentication with Spring Security 3.2.5 encountered the following exception upon application startup:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalArgumentException: [Assertion failed] - this expression must be true

Deep Analysis of Stack Trace

By carefully examining the exception stack trace, we can identify the critical source of the error:

at org.springframework.security.provisioning.InMemoryUserDetailsManager.createUser(InMemoryUserDetailsManager.java:59)
at org.springframework.util.Assert.isTrue(Assert.java:77)

This stack trace clearly indicates that the problem occurs in the createUser() method of the InMemoryUserDetailsManager class. Spring Security checks whether a username already exists when creating in-memory users. If an attempt is made to create a user with a duplicate username, an IllegalArgumentException is thrown.

Root Cause: Duplicate Username Configuration

The user's configuration code contains a critical issue:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER").and()
            .withUser("user").password("password").roles("USER", "ADMIN");
}

In this configuration, the developer attempts to create two users with the same username "user", which violates the fundamental principle of Spring Security's in-memory user management mechanism. Each username must be unique within the system, as it serves as the basis for user identification.

Detailed Explanation of Spring Security In-Memory Authentication Mechanism

Spring Security's InMemoryUserDetailsManager class uses a Map<String, UserDetails> to store user information, where the key is the username. When the createUser() method is called, the following check is performed:

public void createUser(UserDetails user) {
    Assert.isTrue(!userExists(user.getUsername()), "user should not exist");
    // User creation logic
}

The Assert.isTrue() method here ensures that a new user is created only if the username does not already exist. If the username already exists, the exception discussed in this article is thrown.

Solution and Best Practices

To resolve this issue, it is essential to ensure that each username is unique. Here is an example of the corrected configuration:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER").and()
            .withUser("admin").password("admin123").roles("USER", "ADMIN");
}

In this corrected version, we use different usernames ("user" and "admin") to avoid duplication. Additionally, for security reasons, it is recommended to set different passwords for different users.

Other Related Configuration Considerations

Besides the duplicate username issue, there are other common pitfalls to avoid in Spring Security configuration:

  1. URL Pattern Configuration: Avoid using empty strings or null as parameters for antMatchers(), as this may lead to similar assertion failure exceptions.
  2. Password Encoding: In production environments, password encoders should be used instead of storing passwords in plain text.
  3. Role Definition: Ensure that role names comply with the application's security policy requirements.

Debugging and Diagnostic Techniques

When encountering Spring Security configuration issues, the following debugging strategies can be employed:

  1. Carefully read the complete exception stack trace, paying particular attention to Spring Security-related classes and methods.
  2. Use Spring's debug log level to obtain more detailed information.
  3. Gradually simplify the configuration to identify the specific configuration item causing the problem.
  4. Refer to official documentation and community best practices.

Conclusion

Spring Security configuration must strictly adhere to its internal constraints and best practices. Username uniqueness is a fundamental requirement of the in-memory authentication mechanism, and violating this principle will result in bean creation failure. By understanding the internal workings of Spring Security, developers can better diagnose and resolve configuration issues, building secure and reliable applications.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.