ServerHttpSecurityConfiguration creates a circular dependency with WebFluxConfigurationSupport

[wilkinsona]

Describe the bug

ServerHttpSecurityConfiguration defines a WebFluxConfigurer bean while also injecting a ReactiveAdapterRegistry. The ReactiveAdapterRegistry is defined by WebFluxConfigurationSupport but WebFluxConfigurationSupport also needs to be initialized with every WebFluxConfigurer bean. This creates a cycle between the two configuration classes. Framework is able to mask this cycle when the bean factory is configured to allow circular references. When circular references are prohibited, application context refresh fails with a BeanCurrentlyInCreationException.

To Reproduce

Run that attached sample with ./gradlew bootRun or import it into your IDE and run the main method.

Expected behavior

Spring Security can be used with WebFlux when the bean factory is configured to prohibit circular references.

Sample

webflux-security-dependency-cycle.zip

[eleftherias]

Thanks @wilkinsona.
It seems the underlying issue is spring-projects/spring-framework#25166.

A workaround could be to move the authenticationPrincipalArgumentResolverConfigurer to a different configuration.
That would prevent the error on startup, but a cycle would still exist.

I will discuss with the team and provide an update.

[wilkinsona]

Thanks for the update, Ria. It looks like #8613 was an attempt to work around the underlying behaviour in Framework. I wonder if that could be taken a step further, perhaps by making authenticationPrincipalArgumentResolverConfigurer static?

[eleftherias]

I wonder if that could be take a step further, perhaps by making authenticationPrincipalArgumentResolverConfigurer static?

Yes, that would fix it as well.

[eleftherias]

Thanks for bringing this up @wilkinsona.
I went ahead and made authenticationPrincipalArgumentResolverConfigurer static, as you suggested.

[wilkinsona]

Excellent. Thanks very much, @eleftherias.