Describe the bug
If a custom GrantedAuthorityDefaults is initialized to override the default role prefix this leads to following warnings logged by the BeanPostProcessorChecker in spring-context:
2024-03-14T16:28:37.521+01:00 WARN 27592 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'securityConfig' of type [com.example.demo.SecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
2024-03-14T16:28:37.524+01:00 WARN 27592 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
where securityConfig initializes grantedAuthorityDefaults
@Configuration
@EnableMethodSecurity(
jsr250Enabled = true
)
public class SecurityConfig {
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults(""); // Remove the ROLE_ prefix
}
}
As prerequisites method security must be enabled with jsr250 annotation support ( see above ) and additional BeanPostProcessors must be registered, i. e. by adding spring-actuator to the classpath.
Side note: As of Spring 6.1.0 messages are logged with level WARN instead of INFO, if beans are ineligible for complete post-processing. See spring-projects/spring-framework#24092 for more details. This is why we noticed this behaviour. There doesn't seem to be any practical impacts at least not in our applications with the BeanPostProcessors we are using.
To Reproduce
The behaviour is reproducable with spring-boot 3.2.3, which uses spring framework 6.1.4 and spring-security 6.2.2 under the hood. Just run the Application in this example project demo.zip.
Expected behavior
No warnings regarding ineligible beans for complete post-processing should be logged.
Sample
demo.zip
Describe the bug
If a custom
GrantedAuthorityDefaultsis initialized to override the default role prefix this leads to following warnings logged by theBeanPostProcessorCheckerinspring-context:where
securityConfiginitializesgrantedAuthorityDefaultsAs prerequisites method security must be enabled with jsr250 annotation support ( see above ) and additional BeanPostProcessors must be registered, i. e. by adding
spring-actuatorto the classpath.Side note: As of Spring 6.1.0 messages are logged with level
WARNinstead ofINFO, if beans are ineligible for complete post-processing. See spring-projects/spring-framework#24092 for more details. This is why we noticed this behaviour. There doesn't seem to be any practical impacts at least not in our applications with the BeanPostProcessors we are using.To Reproduce
The behaviour is reproducable with spring-boot 3.2.3, which uses spring framework 6.1.4 and spring-security 6.2.2 under the hood. Just run the Application in this example project demo.zip.
Expected behavior
No warnings regarding ineligible beans for complete post-processing should be logged.
Sample
demo.zip