Spring Security 6.0.2 ObservationFilterChainDecorator produce wrong instrument names

[andrebask]

Describe the bug

Open Telemetry Java Agent version 1.21 don't like the Instrument names produced by Spring Security 6.0 (from Class ObservationFilterChainDecorator)

Here is the WARNING Log (It appears to be a warning but is logged with log lever error by Spring):

WARN io.opentelemetry.ApiUsageLogging - Instrument name "spring.security.filterchains.WebAsyncManagerIntegrationFilter.after" is invalid, returning noop instrument. Instrument names must consist of 63 or fewer characters including alphanumeric, _, ., -, and start with a letter. Returning noop instrument.

The instrument name is produced by Spring Security there :

spring-security/web/src/main/java/org/springframework/security/web/ObservationFilterChainDecorator.java

Line 185 in 7ef659a

parent.before().event(Observation.Event.of(this.name + ".before", "before " + this.name));

A fix for spaces in the name (#12490) has been released, however, the warning is still displayed, probably due to the length of the identifier.

To Reproduce
Using a simple Spring Boot 3.0.3 project with Kotlin 1.7, JDK 17, Spring Boot 3.0.3, Spring Security 6.0.2 and Maven. Using Open Telemetry java Agent v 1.21. The application is running in a docker container, but you can reproduce the problem with a java -jar springboot.jar -javaagent:opentelemetry-javaagent-all.jar

Docker File :

ARG OPENJDK_IMAGE=openjdk:17-slim-bullseye
ARG USER=app
ARG WORKDIR=/app
ARG OPENTELEMETRY_VERSION=1.21.0
ARG OPENTELEMETRY_REPO="https://github.com/open-telemetry/opentelemetry-java-instrumentation"
ARG OPENTELEMETRY_JAR_PATH="/releases/download/v${OPENTELEMETRY_VERSION}/opentelemetry-javaagent.jar"
ARG OPENTELEMETRY_JAR=opentelemetry-javaagent-all.jar

# Build
FROM busybox:stable AS builder

ARG USER
ARG WORKDIR
ARG OPENTELEMETRY_REPO
ARG OPENTELEMETRY_JAR_PATH
ARG OPENTELEMETRY_JAR

RUN addgroup ${USER} \
    && adduser -D -H -G ${USER} ${USER}

WORKDIR ${WORKDIR}

RUN wget -O ${OPENTELEMETRY_JAR} ${OPENTELEMETRY_REPO}${OPENTELEMETRY_JAR_PATH}

# Main
FROM ${OPENJDK_IMAGE}

ARG USER
ARG WORKDIR
ARG OPENTELEMETRY_JAR

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd

USER ${USER}:${USER}
WORKDIR ${WORKDIR}

ENV JAVA_TOOL_OPTIONS=-javaagent:${OPENTELEMETRY_JAR}
COPY --from=builder ${WORKDIR} .

Expected behaviour

The expected behaviour is that Open Telemetry Java Agent doesn't create WARNING logs about Spring Security instrument names.

[FrankSpitulski]

@jzheaux this fix does not seem to have actually made it into 6.0.3 as the release notes say. https://github.com/spring-projects/spring-security/blob/6.0.3/web/src/main/java/org/springframework/security/web/ObservationFilterChainDecorator.java