WARN Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors

[paschm]

Describe the bug
If a custom GrantedAuthorityDefaults is initialized to override the default role prefix this leads to following warnings logged by the BeanPostProcessorChecker in spring-context:

2024-03-14T16:28:37.521+01:00  WARN 27592 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'securityConfig' of type [com.example.demo.SecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
2024-03-14T16:28:37.524+01:00  WARN 27592 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.

where securityConfig initializes grantedAuthorityDefaults

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

As prerequisites method security must be enabled with jsr250 annotation support ( see above ) and additional BeanPostProcessors must be registered, i. e. by adding spring-actuator to the classpath.

Side note: As of Spring 6.1.0 messages are logged with level WARN instead of INFO, if beans are ineligible for complete post-processing. See spring-projects/spring-framework#24092 for more details. This is why we noticed this behaviour. There doesn't seem to be any practical impacts at least not in our applications with the BeanPostProcessors we are using.

To Reproduce
The behaviour is reproducable with spring-boot 3.2.3, which uses spring framework 6.1.4 and spring-security 6.2.2 under the hood. Just run the Application in this example project demo.zip.

Expected behavior
No warnings regarding ineligible beans for complete post-processing should be logged.

Sample

demo.zip

[marcusdacoregio]

Hi, @paschm. Can you verify if making your bean method static solves the problem? Another alternative is to declare it as a infrastructural bean as mentioned in this comment.

[paschm]

Hello @marcusdacoregio,

thanks for your advice.

Can you verify if making your bean method static solves the problem?

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    public static GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

still leads to

2024-03-15T09:08:34.319+01:00 WARN 17856 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'grantedAuthorityDefaults' of type [org.springframework.security.config.core.GrantedAuthorityDefaults] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.

Another alternative is to declare it as a infrastructural bean as mentioned in #14209 (comment).

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

leads to

2024-03-15T08:24:00.647+01:00 WARN 25184 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'securityConfig' of type [com.example.demo.SecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.

The combination of both ( static + role hint ) does work and the bean seems to be initialized

@Configuration
@EnableMethodSecurity(
        jsr250Enabled = true
)
public class SecurityConfig {

    @Bean
    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
    public static GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");    // Remove the ROLE_ prefix
    }
}

Maybe the addition of the role hint should be added to the documentation? https://docs.spring.io/spring-security/reference/servlet/authorization/architecture.html#authz-authorities

[marcusdacoregio]

Thanks for checking @paschm.

The reason that happens is because the GrantedAuthorityDefaults bean is used very early in the application initialization when configuring the MethodInterceptors for Method Security. I agree with you that it is important to alert users that if they are using @EnableMethodSecurity they should consider adding @Role(BeanDefinition.ROLE_INFRASTRUCTURE) in addition to their bean method being static.

Are you interested in submitting a PR that updates the documentation?

[paschm]

Hello @marcusdacoregio,

Are you interested in submitting a PR that updates the documentation?

I submitted a PR, see above. I didn't extend the xml example, as we don't use xml configuration any more and I don't know how you can do a infrastructure bean declaration in this case. Feel free to extend it yourself, if necessary.

[marcusdacoregio]

Closed in favor of https://github.com/spring-projects/spring-security/pull/14779/files