Spring Security Auto-Configuration regression between Spring Boot 3.3.6 and 3.4.0 #16181
Description
Describe the bug
Creating a new fresh Spring Boot application with Spring Security and Spring WebFlux leads to have ReactiveUserDetailsServiceAutoConfiguration and UserDetailsServiceAutoConfiguration both applied in SB 3.4.0 while only the former was in SB 3.3.6.
To Reproduce
Create a new fresh Spring Boot application with Spring Security and Spring WebFlux in SB 3.4.0 with Spring Initializr for instance.
Start the application and check the logs, you will see generated password-related messages twice:
`
2024-11-27T08:48:02.763+01:00 INFO 49735 --- [spring-security-reactive-bug] [ main] ReactiveUserDetailsServiceAutoConfiguration :
Using generated security password: 0240859f-fb08-426d-8557-ef1faa497055
...
2024-11-27T08:48:02.828+01:00 WARN 49735 --- [spring-security-reactive-bug] [ main] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: 0240859f-fb08-426d-8557-ef1faa497055
This generated password is for development use only. Your security configuration must be updated before running your application in production.
`
Enabling the debug mode also reveals that both auto-configuration classes do match.
Expected behavior
In reactive mode, I do not expect the non-reactive autoconfiguration to be applied but only the reactive one as it was the case in SB 3.3.6.
Sample
The sample is so trivial that I let you create such an empty application.
** Personal investigation **
My investigation lets me think that the issue comes from the deprecation of the org.springframework.security.config.annotation.ObjectPostProcessor interface in favor of the other org.springframework.security.config.ObjectPostProcessor interface. The UserDetailsServiceAutoConfiguration has the conditional bean annotation @ConditionalOnBean(org.springframework.security.config.ObjectPostProcessor.class). In SB 3.3.6, no such beans were available in my example application but in SB 3.4.0, several ones are available, coming, at first sight, from that ObjectPostProcessor move for some beans.