ReactiveManagementWebSecurityAutoConfiguration Prevent's oauth2Login from being defaulted

[jgrandja]

If org.springframework.boot:spring-boot-starter-actuator is on the classpath than ReactiveManagementWebSecurityAutoConfiguration will build a SecurityWebFilterChain, which will get @Autowired to WebFluxSecurityConfiguration.securityWebFilterChains. This configuration path will result in a bypass of OAuth2ClasspathGuard.shouldConfigure(), which is called for the default configuration of SecurityWebFilterChain.

So if oauth2-client is actually on the classpath and the required properties are configured, than ServerHttpSecurity.oauth2Login() will not be applied.

Related spring-cloud-security#171

/cc @rwinch @spencergibb

[spencergibb]

For the sample app I'm doing the following temporarily:

spring:
  autoconfigure:
    exclude: org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration

[jgrandja]

@spencergibb I have a workaround for you here

[jgrandja]

Closing in favour of spring-boot#17949