From 0a98dd0bce8c518df939d38f1e87a78eb9a1e231 Mon Sep 17 00:00:00 2001
From: ryandawsonuk <ryandawson@cantab.net>
Date: Fri, 30 Nov 2018 10:05:10 +0000
Subject: [PATCH] note on avoiding BeanDefinitionOverrideException

---
 .../topics/oidc/java/spring-security-adapter.adoc        | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/securing_apps/topics/oidc/java/spring-security-adapter.adoc b/securing_apps/topics/oidc/java/spring-security-adapter.adoc
index d61c9ac45a..82acac3dae 100644
--- a/securing_apps/topics/oidc/java/spring-security-adapter.adoc
+++ b/securing_apps/topics/oidc/java/spring-security-adapter.adoc
@@ -258,11 +258,12 @@ public KeycloakConfigResolver KeycloakConfigResolver() {
 
 ----
 
-====== Avoid double Filter bean registration
+====== Avoid double bean registration
 
 Spring Boot attempts to eagerly register filter beans with the web application context.
 Therefore, when running the Keycloak Spring Security adapter in a Spring Boot environment, it may be necessary to add ``FilterRegistrationBean``s to your security configuration to prevent the Keycloak filters from being registered twice.
 
+Spring boot 2.1 also disables `spring.main.allow-bean-definition-overriding` by default. This can mean that an `BeanDefinitionOverrideException` will be encountered if a `Configuration` class extending `KeycloakWebSecurityConfigurerAdapter` registers a bean that is already detected by a `@ComponentScan`. This can be avoided by overriding the registration to use the boot-specific `@ConditionalOnMissingBean` annotation, as with `HttpSessionManager` below.
 
 [source,java]
 ----
@@ -306,6 +307,12 @@ public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
         return registrationBean;
     }
 
+    @Bean
+    @Override
+    @ConditionalOnMissingBean(HttpSessionManager.class)
+    protected HttpSessionManager httpSessionManager() {
+        return new HttpSessionManager();
+    }
     ...
 }
 ----