Skip to content

when use deprecated EnableGlobalMethodSecurity: almost all beans output WAN BeanPostProcessorChecker message #14209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
billschen opened this issue Nov 28, 2023 · 7 comments
Closed

when use deprecated EnableGlobalMethodSecurity: almost all beans output WAN BeanPostProcessorChecker message #14209

billschen opened this issue Nov 28, 2023 · 7 comments
Assignees
@jzheaux @marcusdacoregio
Labels
for: stackoverflow A question that's better suited to stackoverflow.com

Comments

@billschen
Copy link

Expected Behavior

WAN BeanPostProcessorChecker message may not out put.
Current Behavior

almost all beans out put warn message like :
2023-11-28T17:59:42.291+08:00 WARN 18703 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'blockRepository' of type [jdk.proxy2.$Proxy156] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [projectingArgumentResolverBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
Context

I upgrade code to spring boot 2.3,but let deprecated EnableGlobalMethodSecurity in code unfortunately。when run code,
almost every beans out put message like above。
I don't define a BeanPostProcessor name ProjectingArgumentResolverBeanPostProcessor in my code.
those WARN message seriously slowing down the startup speed.
when upgrade EnableGlobalMethodSecurity to EnableMethodSecurity
warn message gone.
I put issue in spring-boot/issues/38558 and spring-data-jpa/issues/3244 and confirm the problem with peoples help 。
I create a minimal example and upload.
checker.zip
I think is a good idea to avoid the warnings when use deprecated EnableGlobalMethodSecurity annotation
@billschen billschen added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Nov 28, 2023
@shivtrpm
Copy link

@billschen That's good you made the WARNs disappear by upgrading to [EnableMethodSecurity]. But, in my case I do not use any such annotations. Yet, still get those warns. These warns were never on 3.0.5 from which I migrated to 3.2.1

@billschen
Copy link
Author

warns were never o

my be you can try to comment some config class to identify which class make to warn message out put.

@marcusdacoregio marcusdacoregio self-assigned this Dec 1, 2023
@marcusdacoregio marcusdacoregio removed the status: waiting-for-triage An issue we've not yet triaged label Dec 1, 2023
@marcusdacoregio
Copy link
Contributor

Hi @billschen, thanks for the report. @shivtrpm if I understand correctly, you have the WARN logs but you are not using either @EnableGlobalMethodSecurity or @EnableMethodSecurity? If so, can you provide a minimal, reproducible sample?

@nikolay-hr
Copy link

nikolay-hr commented Dec 1, 2023
edited
Loading

If you create a new project from https://start.spring.io/ using only Spring Boot 3.2.0 and adding spring-boot-starter-web-services a very simmilar warning shows up without adding annithing else:
WARN 11184 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.ws.config.annotation.DelegatingWsConfiguration' of type [org.springframework.ws.config.annotation.DelegatingWsConfiguration$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). The currently created BeanPostProcessor [annotationActionEndpointMapping] is declared through a non-static factory method on that class; consider declaring it as static instead.
Sorry for the off-topic but I saw this issue and didn't want open a new one.
Everything works fine but it is confusing why this warning shows up without adding any code or configuration into a clean new spring project.
Edit: The warning is coming from here

@jzheaux
Copy link
Contributor

jzheaux commented Dec 1, 2023
edited
Loading

Hi, @billschen. The reason that you see these warnings is due to the beans your application needs the expression handler to access.

Method interceptors are configured very early in the application context lifecycle, so when you do the following:

@Component
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
    public CustomMethodSecurityExpressionHandler(FooBarService fooBarService, BlockRepository blockRepository) {
        this.fooBarService = fooBarService;
        this.blockRepository = blockRepository;
    }

    // ...
}

It pushes the creation of FooBarService (and anything it depends on) and BlockRepository (and anything it depends on) into the same part of the application context lifecycle.

This step in the application context lifecycle is too early for bean post-processing, and thus the warning message for those beans.

Use beans in your annotations

My primary recommendation is to not use a custom expression handler. Instead, consider referencing your beans directly in your expressions like so:

@Component("authz")
public class AuthorizationFacade {
    private final FooBarService foobar;
    private final BlockRepository blocks;

    // ...

    public boolean hasRole(String role) {
        // ... perform authorization logic
    }

    // ...
}

// ...

@PreAuthorize("@authz.hasRole('USER')")

This decouples your authorization logic from Spring Security as well as likely making it easier to test.

Declare Infrastructural Beans

The alternative way to resolve this is two-fold:

First, you need to declare your method handler as an infrastructural bean:

@Component
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
public class CustomMethodSecurityExpressionHandler ...

And second, either the other beans need to be infrastructural (doubtful) or they need to be accessed lazily by the expression handler as follows:

public CustomMethodSecurityExpressionHandler(ObjectProvider<FooBarService> fooBarService, ObjectProvider<BlockRepository> blockRepository) {
    this.fooBarService = fooBarService;
    this.blockRepository = blockRepository;
}

@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
    CustomMethodSecurityExpressionRoot root = 
        new CustomMethodSecurityExpressionRoot(authentication, fooBarService.getIfAvailable(), blockRepository.getIfAvailable());

    root.setPermissionEvaluator(this.getPermissionEvaluator());
    root.setTrustResolver(this.trustResolver);
    root.setRoleHierarchy(this.getRoleHierarchy());
    return root;

}

Can you please try these and tell me if one works for you?

@jzheaux jzheaux added the status: waiting-for-feedback We need additional information before we can continue label Dec 1, 2023
@jzheaux jzheaux self-assigned this Dec 1, 2023
@jzheaux jzheaux added for: stackoverflow A question that's better suited to stackoverflow.com and removed type: enhancement A general enhancement labels Dec 1, 2023
@billschen
Copy link
Author

@jzheaux 👍 thank you very match! It works for me!. I agree the best solution is to not use a custom expression handler and consider referencing your beans directly in your expressions

@billschen
Copy link
Author

@billschen That's good you made the WARNs disappear by upgrading to [EnableMethodSecurity]. But, in my case I do not use any such annotations. Yet, still get those warns. These warns were never on 3.0.5 from which I migrated to 3.2.1
please contract me with email [email protected]

@billschen billschen closed this as not planned Won't fix, can't repro, duplicate, stale Dec 8, 2023
@jzheaux jzheaux removed the status: waiting-for-feedback We need additional information before we can continue label Dec 12, 2023
@wilkinsona wilkinsona mentioned this issue Jan 17, 2024
Closed
@marcusdacoregio marcusdacoregio mentioned this issue Mar 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

@marcusdacoregio marcusdacoregio

Labels
for: stackoverflow A question that's better suited to stackoverflow.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jzheaux @nikolay-hr @marcusdacoregio @billschen @shivtrpm