Skip to content

ServerHttpSecurityConfiguration creates a circular dependency with WebFluxConfigurationSupport #10076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wilkinsona opened this issue Jul 14, 2021 · 5 comments
Assignees
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone

Comments

@wilkinsona
Copy link
Member

Describe the bug

ServerHttpSecurityConfiguration defines a WebFluxConfigurer bean while also injecting a ReactiveAdapterRegistry. The ReactiveAdapterRegistry is defined by WebFluxConfigurationSupport but WebFluxConfigurationSupport also needs to be initialized with every WebFluxConfigurer bean. This creates a cycle between the two configuration classes. Framework is able to mask this cycle when the bean factory is configured to allow circular references. When circular references are prohibited, application context refresh fails with a BeanCurrentlyInCreationException.

To Reproduce

Run that attached sample with ./gradlew bootRun or import it into your IDE and run the main method.

Expected behavior

Spring Security can be used with WebFlux when the bean factory is configured to prohibit circular references.

Sample

webflux-security-dependency-cycle.zip

@wilkinsona wilkinsona added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 14, 2021
@sjohnr sjohnr added the in: config An issue in spring-security-config label Jul 16, 2021
@sjohnr sjohnr removed the status: waiting-for-triage An issue we've not yet triaged label Jul 16, 2021
@eleftherias
Copy link
Contributor

Thanks @wilkinsona.
It seems the underlying issue is spring-projects/spring-framework#25166.

A workaround could be to move the authenticationPrincipalArgumentResolverConfigurer to a different configuration.
That would prevent the error on startup, but a cycle would still exist.

I will discuss with the team and provide an update.

@wilkinsona
Copy link
Member Author

wilkinsona commented Jul 21, 2021

Thanks for the update, Ria. It looks like #8613 was an attempt to work around the underlying behaviour in Framework. I wonder if that could be taken a step further, perhaps by making authenticationPrincipalArgumentResolverConfigurer static?

@eleftherias
Copy link
Contributor

I wonder if that could be take a step further, perhaps by making authenticationPrincipalArgumentResolverConfigurer static?

Yes, that would fix it as well.

@eleftherias eleftherias added this to the 5.6.0-M2 milestone Aug 11, 2021
@eleftherias
Copy link
Contributor

Thanks for bringing this up @wilkinsona.
I went ahead and made authenticationPrincipalArgumentResolverConfigurer static, as you suggested.

@wilkinsona
Copy link
Member Author

Excellent. Thanks very much, @eleftherias.

akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
Workaround for circular dependency between ServerHttpSecurityConfiguration and WebFluxConfigurationSupport.

Closes spring-projectsgh-10076
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
None yet
Development

No branches or pull requests

3 participants