Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Security Auto-Configuration regression between Spring Boot 3.3.6 and 3.4.0 #16181

Closed
ecnabogs opened this issue Nov 27, 2024 · 3 comments
Closed

Spring Security Auto-Configuration regression between Spring Boot 3.3.6 and 3.4.0 #16181

ecnabogs opened this issue Nov 27, 2024 · 3 comments
Assignees
@rwinch
Labels
status: duplicate A duplicate of another issue type: bug A general bug

Comments

@ecnabogs
Copy link

Describe the bug
Creating a new fresh Spring Boot application with Spring Security and Spring WebFlux leads to have ReactiveUserDetailsServiceAutoConfiguration and UserDetailsServiceAutoConfiguration both applied in SB 3.4.0 while only the former was in SB 3.3.6.

To Reproduce
Create a new fresh Spring Boot application with Spring Security and Spring WebFlux in SB 3.4.0 with Spring Initializr for instance.
Start the application and check the logs, you will see generated password-related messages twice:

`
2024-11-27T08:48:02.763+01:00 INFO 49735 --- [spring-security-reactive-bug] [ main] ReactiveUserDetailsServiceAutoConfiguration :

Using generated security password: 0240859f-fb08-426d-8557-ef1faa497055
...
2024-11-27T08:48:02.828+01:00 WARN 49735 --- [spring-security-reactive-bug] [ main] .s.s.UserDetailsServiceAutoConfiguration :

Using generated security password: 0240859f-fb08-426d-8557-ef1faa497055

This generated password is for development use only. Your security configuration must be updated before running your application in production.
`
Enabling the debug mode also reveals that both auto-configuration classes do match.

Expected behavior
In reactive mode, I do not expect the non-reactive autoconfiguration to be applied but only the reactive one as it was the case in SB 3.3.6.

Sample

The sample is so trivial that I let you create such an empty application.

** Personal investigation **

My investigation lets me think that the issue comes from the deprecation of the org.springframework.security.config.annotation.ObjectPostProcessor interface in favor of the other org.springframework.security.config.ObjectPostProcessor interface. The UserDetailsServiceAutoConfiguration has the conditional bean annotation @ConditionalOnBean(org.springframework.security.config.ObjectPostProcessor.class). In SB 3.3.6, no such beans were available in my example application but in SB 3.4.0, several ones are available, coming, at first sight, from that ObjectPostProcessor move for some beans.
@ecnabogs ecnabogs added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 27, 2024
@jegalirisoft
Copy link

Try this Workaround : exclude the UserDetailsServiceAutoConfiguration

    @SpringBootApplication(exclude = [UserDetailsServiceAutoConfiguration::class])

@kse-music
Copy link
Contributor

It was fixed by #43334

@rwinch
Copy link
Member

rwinch commented Dec 3, 2024

Thanks for the comment @kse-music Closing as duplicate of spring-projects/spring-boot#43334

@rwinch rwinch closed this as completed Dec 3, 2024
@rwinch rwinch self-assigned this Dec 3, 2024
@rwinch rwinch added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rwinch @ecnabogs @kse-music @jegalirisoft