Add information about changed behaviour for resolving @AuthenticationPrincipal annotation

[wimdeblauwe]

I just spend a few hours trying to figure out why my upgrade from Spring Boot 2.3.4 to 2.4.4 was not working.

I am using Keycloak for authentication and my rest controller use this construct:

public ... methodName(@AuthenticationPrincipal KeycloakAuthenticationToken principal) {

This works in Spring Boot 2.3.4, but not in Spring Boot 2.4.4. The reason for this is that in Spring 5.3.1 a bug on ServletRequestMethodArgumentResolver was fixed.

Before the fix, the KeycloakAuthenticationToken was injected in the controller method via the ServletRequestMethodArgumentResolver. After the fix, the injection is supposed to be done by the AuthenticationPrincipalArgumentResolver, but that resolver always taken the principal of the authentication object. It does not check if the authentication object itself is also a principal as in the case of Keycloak.

The workaround is to remove the @AuthenticationPrincipal annotation (which I find a pity, the annotation made it clear that this argument was getting injected by the framework).

Maybe a note can be added to the release notes for this as others(1,2) have also had the issue?

[wilkinsona]

I asked @snicoll to transfer this issue from Boot as, IMO, Boot's release notes isn't the best place to document the change. I think that https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x#spring-mvc would be a better place to mention it.

[rstoyanchev]

Indeed this should be in the release notes but is missing. I will also see about finding a place in the documentation to mention this as it can be confusing indeed.