@EnableReactiveMethodSecurity causes premature initialization of the ObservationRegistry and prevents it from being post-processed

[wilkinsona]

Describe the bug

@EnableReactiveMethodSecurity causes premature initialization of the ObservationRegistry and prevents it from being post-processed.

The preAuthorizeInterceptor bean defined in ReactiveAuthorizationManagerMethodSecurityConfiguration is an Advisor so it's created very early by the AOP infrastructure. It injects an ObjectProvider<ObservationRegistry> which should delay the creation of the ObservationRegistry. Unfortunately, this provider is passed into ReactiveAuthorizationManagerMethodSecurityConfiguration#manager which immediately calls getIfAvailable(). As a result the ObservationRegistry is created very early as part of setting up the AOP infrastructure and this prevents it from being post-processed.

To Reproduce

See the sample provided in spring-projects/spring-boot#34366.

Expected behavior

@EnableReactiveMethodSecurity does not prevent the ObservationRegistry from being post-processed.

Sample

See the sample provided in spring-projects/spring-boot#34366.

[cse050]

Hi Josh,

thx for resolving this.

Would you know which spring boot release which will contain this change?

bbd31f0

[philwebb]

@cse050 The fix will be in Spring Security 6.0.3 (check the milestone of this issue) which has not yet been released. Spring Security 6.0.3 is due to be released on April 17 which means it should be in Spring Boot 3.0.6