SurrogateAuthenticationExpirationPolicy references itself, causing stack overflow

[Sean Gottschalk]

Hello,

I'm doing some preliminary work on upgrading our cas integration from version 6.0.4 to 6.1.0-RC5 and when I attempt to submit my credentials to /login I get a stack overflow error.

2019-09-20 14:23:47,731 WARN [qtp1436347886-105] org.eclipse.jetty.server.HttpChannel - /login org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is java.lang.StackOverflowError
...
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:278)

at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)

at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)

at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)

at com.sun.proxy.$Proxy230.buildTicketExpirationPolicy(Unknown Source)

at org.apereo.cas.authentication.SurrogateAuthenticationExpirationPolicyBuilder.toTicketExpirationPolicy(SurrogateAuthenticationExpirationPolicyBuilder.java:61)

at org.apereo.cas.authentication.SurrogateAuthenticationExpirationPolicyBuilder.buildTicketExpirationPolicy(SurrogateAuthenticationExpirationPolicyBuilder.java:43)

at jdk.internal.reflect.GeneratedMethodAccessor141.invoke(Unknown Source)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:566)

at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:278)

at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)

at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)

at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)

at com.sun.proxy.$Proxy230.buildTicketExpirationPolicy(Unknown Source)

at org.apereo.cas.authentication.SurrogateAuthenticationExpirationPolicyBuilder.toTicketExpirationPolicy(SurrogateAuthenticationExpirationPolicyBuilder.java:61)

at org.apereo.cas.authentication.SurrogateAuthenticationExpirationPolicyBuilder.buildTicketExpirationPolicy(SurrogateAuthenticationExpirationPolicyBuilder.java:43)

at jdk.internal.reflect.GeneratedMethodAccessor141.invoke(Unknown Source)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:566)

at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:278)

at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)

at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)

at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)

at com.sun.proxy.$Proxy230.buildTicketExpirationPolicy(Unknown Source)

at org.apereo.cas.authentication.SurrogateAuthenticationExpirationPolicyBuilder.toTicketExpirationPolicy(SurrogateAuthenticationExpirationPolicyBuilder.java:61)

at org.apereo.cas.authentication.SurrogateAuthenticationExpirationPolicyBuilder.buildTicketExpirationPolicy(SurrogateAuthenticationExpirationPolicyBuilder.java:43)

at jdk.internal.reflect.GeneratedMethodAccessor141.invoke(Unknown Source)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:566)

I did a bit of digging and it appears that the problem lies in SurrogateAuthenticationConfiguration.java. In the 6.0.4 release, the standard ticket granting policy is injected into SurrogateAuthenticationConfiguration as ticketGrantingTicketExpirationPolicy, and is used to create the grantingTicketExpirationPolicy. In 6.1.0-RC5, the standard ticket granting policy is injected as grantingTicketExpirationPolicy which is the same name as the class is trying to build. From what I can tell, Spring will then wire the bean into itself which leads to this infinite loop. I'm not sure how to fix this issue so I figured I'd bring it up here rather than as a PR on github.

6.0.4 SurrogateAuthenticationConfiguration.java

@Autowired
@Qualifier("ticketGrantingTicketExpirationPolicy")
private ObjectProvider<ExpirationPolicy> ticketGrantingTicketExpirationPolicy;

@Bean
public ExpirationPolicy grantingTicketExpirationPolicy() {
    val defaultPolicy = ticketGrantingTicketExpirationPolicy.getIfAvailable();
    
    val su = casProperties.getAuthn().getSurrogate();
    val surrogatePolicy = new HardTimeoutExpirationPolicy(su.getTgt().getTimeToKillInSeconds());
    val policy = new SurrogateSessionExpirationPolicy(defaultPolicy);
    policy.addPolicy(SurrogateSessionExpirationPolicy.PolicyTypes.SURROGATE, surrogatePolicy);
    policy.addPolicy(SurrogateSessionExpirationPolicy.PolicyTypes.DEFAULT, defaultPolicy);
    return policy;
}

6.1.0 SurrogateAuthenticationConfiguration.java

@Autowired
@Qualifier("grantingTicketExpirationPolicy")
private ObjectProvider<ExpirationPolicyBuilder> grantingTicketExpirationPolicy;

@Bean
@RefreshScope
public ExpirationPolicyBuilder grantingTicketExpirationPolicy() {
    return new SurrogateAuthenticationExpirationPolicyBuilder(grantingTicketExpirationPolicy.getIfAvailable(), casProperties);
}