Skip to content

Spring Security Circular Bean Dependency #4489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aemaem opened this issue Aug 9, 2017 · 3 comments
Closed

Spring Security Circular Bean Dependency #4489

aemaem opened this issue Aug 9, 2017 · 3 comments
Assignees
@rwinch
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone
5.0.0.M4

Comments

@aemaem
Copy link

aemaem commented Aug 9, 2017
edited
Loading

Summary

Spring Security has a circular bean dependency in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.

Actual Behavior

When running the sample (./gradlew bootRun) with setting "allow circular references" to false the application will fail to start.

The dependencies of some of the beans in the application context form a cycle:

┌─────┐
|  org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration
└─────┘

Background

In our client's deployment they encountered a circular bean dependency in our own code (also a Spring Boot Project). We could not reproduce the issue, which is why we would like to check strictly on circular bean dependencies.

Expected Behavior

Resolved circular bean dependency.

Configuration

Set "allow circular references" to false.

new SpringApplicationBuilder(SecurityCycleBeanDependencyApplication.class)
    .initializers((ApplicationContextInitializer<GenericApplicationContext>) applicationContext -> applicationContext.setAllowCircularReferences(false))
    .run(args);

Version

Spring Boot 1.5.6
with Spring Security and Spring Web

Sample

https://github.com/aemaem/security-cycle-bean-dependency
@rwinch
Copy link
Member

rwinch commented Aug 9, 2017

Thanks for the bug report. Is the sample suppose to fail? How are you running it? I have tried running the sample in both my IDE and using ./gradlew check and the test passes. Thanks again for the report!

@rwinch rwinch self-assigned this Aug 9, 2017
@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Aug 9, 2017
@aemaem
Copy link
Author

aemaem commented Aug 9, 2017

If you run the application with ./gradlew bootRun you will see that it cannot be started.

@rwinch rwinch added type: bug A general bug in: config An issue in spring-security-config and removed status: waiting-for-feedback We need additional information before we can continue labels Aug 9, 2017
@rwinch rwinch added this to the 5.0.0.M4 milestone Aug 9, 2017
@rwinch rwinch closed this as completed in efc3cad Aug 9, 2017
@rwinch
Copy link
Member

rwinch commented Aug 9, 2017

Thanks for the clarification. This makes sense...of course the test isn't going to do anything since the customization is done in the main method.

I was able to reproduce the issue. The problem was that WebSecurityConfiguration used a SpEL expression to resolve setFilterChainProxySecurityConfigurer that contained a bean named autowiredWebSecurityConfigurersIgnoreParents which was produced by WebSecurityConfiguration which was was still in creation since the setFilterChainProxySecurityConfigurer has not been resolved.

A fix (making autowiredWebSecurityConfigurersIgnoreParents a static method) has been pushed to master.

thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
@rwinch @thomasdarimont
Fixed Circular Bean References in Java Config
4bf58ca 
Fixes spring-projectsgh-4489
@rwinch rwinch mentioned this issue Jan 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
None yet
Milestone
5.0.0.M4
Development

No branches or pull requests
2 participants
@rwinch @aemaem