ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor

[wilkinsona]

Describe the bug
ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor. This results in the following log message:

11:04:02.687 [main] INFO org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker - Bean 'org.springframework.security.config.annotation.method.configuration.ReactiveMethodSecurityConfiguration' of type [org.springframework.security.config.annotation.method.configuration.ReactiveMethodSecurityConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

To Reproduce

package com.example.demo;

import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.web.reactive.config.EnableWebFlux;

@Configuration
@ComponentScan
@EnableWebFlux
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class DemoApplication {

	public static void main(String[] args) {
		new AnnotationConfigApplicationContext(DemoApplication.class);
	}

	@Bean
	static BeanPostProcessor exampleBeanPostProcessor() {
		return new BeanPostProcessor() {

		};
	}

	@Bean
	SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
		return http.build();
	}

}

Expected behavior

All beans are eligible for post-processing.

Sample

There's a sample Spring Boot application attached to this Spring Boot issue. The code above is a reduced version of that sample that takes Boot out of the picture.

[sjohnr]

Thanks @wilkinsona. Is there a sense around the urgency of this issue? I'm not sure I understand the impact very well.

[wilkinsona]

As far as I can tell, the problem's benign from a Spring Security perspective as ReactiveMethodSecurityConfiguration doesn't typically need to be post-processed. However, as you can tell from the Boot issue, the log message is causing confusion for users and is really a usability bug.

I have quite a bit of sympathy for users dealing with the message. It's indicating that something's wrong and potentially won't work as intended so it's right that they should care about it, understand it, and ideally stop it from happening. Given that it's our code that's causing the problem, I think it should be fixed so that we avoid wasting their time diagnosing it, particularly as there's nothing they can do to fix it. They can't even tune their logging levels as they may then miss other messages for a similar problem which isn't benign.

[sjohnr]

Thanks @wilkinsona!

[jzheaux]

Related to #9845 - (summary: it may be appropriate to add @Role(BeanDefinition.ROLE_INFRASTRUCTURE))

[wilkinsona]

I notice that this has been assigned to the 6.0.x milestone. Could you please consider fixing it in all 5.x maintenance branches?

[sjohnr]

Good question @wilkinsona. As a team, we have generally assigned bugs to the latest branch where the bug applies and then backport bugs to maintenance branches. It's gotten a little confusing with 5.8 and 6.0 being developed simultaneously. Unfortunately, I can't assign an issue to multiple milestones otherwise I would do so. But we will definitely backport a fix if at all possible.

[jzheaux]

Looking at this further, I think that the case is the bean methods should use static in their signature.