Replace bean method calls with injection #6853
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eleftherias
changed the title
eleftherias
force-pushed
the
gh-2818-proxyless-configuration
branch
from
bf01f1c to
2010510
Compare
jgrandja
reviewed
May 9, 2019
There was a problem hiding this comment.
Thanks for the PR @eleftherias ! I left a couple comments for you.
| @@ -103,12 +103,10 @@ public static InitializeAuthenticationProviderBeanManagerConfigurer initializeAu | |||
| return new InitializeAuthenticationProviderBeanManagerConfigurer(context); | |||
| } | |||
|
|
|||
| public AuthenticationManager getAuthenticationManager() throws Exception { | |||
| public AuthenticationManager getAuthenticationManager(AuthenticationManagerBuilder authBuilder) throws Exception { | |||
There was a problem hiding this comment.
This is a major API change so it could only be allowed in Spring Security 6.0. Is this issue scheduled for 6.0? For more info around versioning see Semantic Versioning
There was a problem hiding this comment.
I struggle with this a little bit because we want to guarantee that the AuthenticationManagerBuilder is actually a Bean. Perhaps we could change to do this:
AuthenticationManagerBuilder authBuilder = this.applicationContext.getBean(AuthenticationManagerBuilder.class);| */ | ||
| @Bean | ||
| public MethodInterceptor methodSecurityInterceptor() throws Exception { | ||
| public MethodInterceptor methodSecurityInterceptor(MethodSecurityMetadataSource methodSecurityMetadataSource) { |
There was a problem hiding this comment.
Same reason as above re: Semantic Versioning
There was a problem hiding this comment.
I don't think this is avoidable. Given the high priority of this and the low likely hood of causing users any problems, I think this breaking change is ok.
| @@ -64,15 +62,13 @@ | |||
| * @since 3.2 | |||
| */ | |||
| @Configuration | |||
| public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware { | |||
There was a problem hiding this comment.
Same reason as above re: Semantic Versioning
There was a problem hiding this comment.
This change isn't neccessary, I did not consider the configurations that are extending this one. Will revert it back to implementing BeanClassLoaderAware.
eleftherias
force-pushed
the
gh-2818-proxyless-configuration
branch
from
2010510 to
253f963
Compare
rwinch
requested changes
May 10, 2019
There was a problem hiding this comment.
Thanks for the PR @eleftherias!
I left questions inline. I also think it would be good for us to add some new tests that ensure that we are now supporting proxyBeanMethods = false properly.
| @@ -113,6 +119,10 @@ public CurrentSecurityContextArgumentResolver reactiveCurrentSecurityContextArgu | |||
|
|
|||
| @Bean(HTTPSECURITY_BEAN_NAME) | |||
| @Scope("prototype") | |||
| public ServerHttpSecurity serverHttpSecurity() { | |||
There was a problem hiding this comment.
Can you explain why this change is necessary?
There was a problem hiding this comment.
There is a test that uses the httpSecurity() method.
If we separate the bean method from the method that creates the object then we avoid calling the bean method in the test.
Unless we aren't concerned about the test using the bean method because it's creating a new instance of
ServerHttpSecurityConfiguration?
There was a problem hiding this comment.
When it just performs new it won't create a Bean since nothing is processing the annotation.
| @@ -103,12 +103,10 @@ public static InitializeAuthenticationProviderBeanManagerConfigurer initializeAu | |||
| return new InitializeAuthenticationProviderBeanManagerConfigurer(context); | |||
| } | |||
|
|
|||
| public AuthenticationManager getAuthenticationManager() throws Exception { | |||
| public AuthenticationManager getAuthenticationManager(AuthenticationManagerBuilder authBuilder) throws Exception { | |||
There was a problem hiding this comment.
I struggle with this a little bit because we want to guarantee that the AuthenticationManagerBuilder is actually a Bean. Perhaps we could change to do this:
AuthenticationManagerBuilder authBuilder = this.applicationContext.getBean(AuthenticationManagerBuilder.class);| * {@code <SecurityConfigurer<FilterChainProxy, WebSecurityBuilder>} instances used to | ||
| * create the web configuration | ||
| * @throws Exception | ||
| */ | ||
| @Autowired(required = false) | ||
| public void setFilterChainProxySecurityConfigurer( | ||
| ObjectPostProcessor<Object> objectPostProcessor, | ||
| @Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers) | ||
| AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents) |
There was a problem hiding this comment.
Can you explain why this change is necessary? A concern I have is that setting List<SecurityConfigurer<Filter, WebSecurity>> is agnostic to have we got it and only the annotation instructs how to look up the value. Another concern is that AutowiredWebSecurityConfigurersIgnoreParents is package private.
There was a problem hiding this comment.
This change is not neccessary. I have reverted it.
| @@ -71,8 +70,6 @@ | |||
|
|
|||
| private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers; | |||
|
|
|||
| private ClassLoader beanClassLoader; | |||
There was a problem hiding this comment.
I see that we don't need beanClassLoader, but since it is unrelated can we please put it in another PR?
...springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java
Show resolved
Hide resolved
eleftherias
force-pushed
the
gh-2818-proxyless-configuration
branch
2 times, most recently
from
40cad29 to
642abd5
Compare
rwinch
requested changes
May 16, 2019
There was a problem hiding this comment.
Thanks for the changes @eleftherias! It appears there are some other places that need to be fixed. For example, AbstractSecurityWebSocketMessageBrokerConfigurer invokes csrfChannelInterceptor(). The way I found it was by searching for @Bean in config/src/main/java and then for each method that used @Bean, I looked for references in the main source directory. Here is a listing of the locations I found @Bean that should be checked:
org/springframework/security/config/annotation/configuration/ObjectPostProcessorConfiguration.java: @Bean
org/springframework/security/config/annotation/configuration/ObjectPostProcessorConfiguration.java- public ObjectPostProcessor<Object> objectPostProcessor(
--
org/springframework/security/config/annotation/method/configuration/Jsr250MetadataSourceConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/Jsr250MetadataSourceConfiguration.java- public Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource() {
--
org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java: @Bean(SPRING_SECURITY_WEBFILTERCHAINFILTER_BEAN_NAME)
org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java- @Order(value = WEB_FILTER_CHAIN_FILTER_ORDER)
--
org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java: @Bean(name = AbstractView.REQUEST_DATA_VALUE_PROCESSOR_BEAN_NAME)
org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java- public CsrfRequestDataValueProcessor requestDataValueProcessor() {
--
org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java- public static BeanFactoryPostProcessor conversionServicePostProcessor() {
--
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java- public static DelegatingApplicationListener delegatingApplicationListener() {
--
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java- @DependsOn(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
--
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java: @Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java- public Filter springSecurityFilterChain() throws Exception {
--
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java- @DependsOn(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
--
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java- public static BeanFactoryPostProcessor conversionServicePostProcessor() {
--
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java- public static AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents(
--
org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java- public MethodInterceptor methodSecurityInterceptor(MethodSecurityMetadataSource methodSecurityMetadataSource) {
--
org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java- public MethodSecurityMetadataSource methodSecurityMetadataSource() {
--
org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java- public PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice() {
--
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java: @Bean
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java- public AuthenticationManagerBuilder authenticationManagerBuilder(
--
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java: @Bean
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java- public static GlobalAuthenticationConfigurerAdapter enableGlobalAuthenticationAutowiredConfigurer(
--
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java: @Bean
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java- public static InitializeUserDetailsBeanManagerConfigurer initializeUserDetailsBeanManagerConfigurer(ApplicationContext context) {
--
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java: @Bean
org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java- public static InitializeAuthenticationProviderBeanManagerConfigurer initializeAuthenticationProviderBeanManagerConfigurer(ApplicationContext context) {
--
org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java- public RequestDataValueProcessor requestDataValueProcessor() {
--
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java- public WebFluxConfigurer authenticationPrincipalArgumentResolverConfigurer(
--
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java- public AuthenticationPrincipalArgumentResolver authenticationPrincipalArgumentResolver() {
--
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java- public CurrentSecurityContextArgumentResolver reactiveCurrentSecurityContextArgumentResolver() {
--
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java: @Bean(HTTPSECURITY_BEAN_NAME)
org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java- @Scope("prototype")
--
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java- @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
--
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java- public DelegatingMethodSecurityMetadataSource methodMetadataSource(MethodSecurityExpressionHandler methodSecurityExpressionHandler) {
--
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java- public PrePostAdviceReactiveMethodInterceptor securityMethodInterceptor(AbstractMethodSecurityMetadataSource source, MethodSecurityExpressionHandler handler) {
--
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java- public DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler() {
--
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java: @Bean
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java- public CsrfChannelInterceptor csrfChannelInterceptor() {
--
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java: @Bean
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java- public ChannelSecurityInterceptor inboundChannelSecurity() {
--
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java: @Bean
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java- public SecurityContextChannelInterceptor securityContextChannelInterceptor() {
--
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java: @Bean
org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java- public MessageSecurityMetadataSource inboundMessageSecurityMetadataSource() {
--
org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java: @Bean
org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java- public RequestDataValueProcessor requestDataValueProcessor() {
|
@rwinch Thanks for pointing that out. I limited my search to |
eleftherias
force-pushed
the
gh-2818-proxyless-configuration
branch
from
642abd5 to
dcbeba5
Compare
eleftherias
commented
May 21, 2019
| @@ -153,9 +153,9 @@ public CsrfChannelInterceptor csrfChannelInterceptor() { | |||
| } | |||
|
|
|||
| @Bean | |||
| public ChannelSecurityInterceptor inboundChannelSecurity() { | |||
| public ChannelSecurityInterceptor inboundChannelSecurity(MessageSecurityMetadataSource messageSecurityMetadataSource) { | |||
There was a problem hiding this comment.
This is another breaking change.
rwinch
requested changes
May 21, 2019
| @@ -172,51 +171,49 @@ public AuthenticationManager authenticationManager() { | |||
| return this.authenticationManager; | |||
| } | |||
| } | |||
| // | |||
There was a problem hiding this comment.
There seem to be some formatting changes in the code within this commit. While overall, they are a good thing I think we should move it to another PR or at minimum a separate commit. The reason is it helps us know the intent of the changes when being reviewed or when looking through commit history if we are trying to figure out a bug at some point.
This is so that our configuration classes do not rely on CGLIB to proxy bean methods. Fixes spring-projectsgh-6818
eleftherias
force-pushed
the
gh-2818-proxyless-configuration
branch
from
dcbeba5 to
a50d9e3
Compare
rwinch
approved these changes
Jun 3, 2019
rwinch
added
in: config
|
Thanks @eleftherias! This is now merged into master |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is so that our configuration classes do not rely on CGLIB to proxy bean methods.
Fixes gh-6818