Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WARN Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors #14751

Closed
paschm opened this issue Mar 14, 2024 · 5 comments · May be fixed by #14779
Closed

WARN Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors #14751

paschm opened this issue Mar 14, 2024 · 5 comments · May be fixed by #14779
Assignees
@marcusdacoregio
Labels
in: docs An issue in Documentation or samples status: duplicate A duplicate of another issue type: bug A general bug

Comments

@paschm
Copy link

paschm commented Mar 14, 2024
edited

Describe the bug
If a custom GrantedAuthorityDefaults is initialized to override the default role prefix this leads to following warnings logged by the BeanPostProcessorChecker in spring-context:

2024-03-14T16:28:37.521+01:00  WARN 27592 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'securityConfig' of type [com.example.demo.SecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
2024-03-14T16:28:37.524+01:00  WARN 27592 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.

where securityConfig initializes grantedAuthorityDefaults

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

As prerequisites method security must be enabled with jsr250 annotation support ( see above ) and additional BeanPostProcessors must be registered, i. e. by adding spring-actuator to the classpath.

Side note: As of Spring 6.1.0 messages are logged with level WARN instead of INFO, if beans are ineligible for complete post-processing. See spring-projects/spring-framework#24092 for more details. This is why we noticed this behaviour. There doesn't seem to be any practical impacts at least not in our applications with the BeanPostProcessors we are using.

To Reproduce
The behaviour is reproducable with spring-boot 3.2.3, which uses spring framework 6.1.4 and spring-security 6.2.2 under the hood. Just run the Application in this example project demo.zip.

Expected behavior
No warnings regarding ineligible beans for complete post-processing should be logged.

Sample

demo.zip
@paschm paschm added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 14, 2024
@marcusdacoregio
Copy link
Contributor

Hi, @paschm. Can you verify if making your bean method static solves the problem? Another alternative is to declare it as a infrastructural bean as mentioned in this comment.

@marcusdacoregio marcusdacoregio removed the status: waiting-for-triage An issue we've not yet triaged label Mar 14, 2024
@marcusdacoregio marcusdacoregio self-assigned this Mar 14, 2024
@paschm
Copy link
Author

paschm commented Mar 15, 2024

Hello @marcusdacoregio,

thanks for your advice.

Can you verify if making your bean method static solves the problem?

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    public static GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

still leads to

2024-03-15T09:08:34.319+01:00 WARN 17856 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.

Another alternative is to declare it as a infrastructural bean as mentioned in #14209 (comment).

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

leads to

2024-03-15T08:24:00.647+01:00 WARN 25184 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'securityConfig' of type [com.example.demo.SecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.

The combination of both ( static + role hint ) does work and the bean seems to be initialized

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
    public static GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

Maybe the addition of the role hint should be added to the documentation? https://docs.spring.io/spring-security/reference/servlet/authorization/architecture.html#authz-authorities

@marcusdacoregio
Copy link
Contributor

Thanks for checking @paschm.

The reason that happens is because the GrantedAuthorityDefaults bean is used very early in the application initialization when configuring the MethodInterceptors for Method Security. I agree with you that it is important to alert users that if they are using @EnableMethodSecurity they should consider adding @Role(BeanDefinition.ROLE_INFRASTRUCTURE) in addition to their bean method being static.

Are you interested in submitting a PR that updates the documentation?

@marcusdacoregio marcusdacoregio added the in: docs An issue in Documentation or samples label Mar 15, 2024
@paschm paschm mentioned this issue Mar 19, 2024
Open
@paschm
Copy link
Author

paschm commented Mar 19, 2024

Hello @marcusdacoregio,

Are you interested in submitting a PR that updates the documentation?

I submitted a PR, see above. I didn't extend the xml example, as we don't use xml configuration any more and I don't know how you can do a infrastructure bean declaration in this case. Feel free to extend it yourself, if necessary.

@marcusdacoregio
Copy link
Contributor

Closed in favor of https://github.com/spring-projects/spring-security/pull/14779/files

@marcusdacoregio marcusdacoregio added the status: duplicate A duplicate of another issue label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: docs An issue in Documentation or samples status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean paschm/spring-security
2 participants
@paschm @marcusdacoregio