fix: remove Lazy annotation from Flow security beans

[mcollovati]

Description

For parameters with Lazy annotation, Spring generates a not-serializable proxy. Since some security beans are used inside Flow listeners, they should be fully serializable (or defined transient, if possible).
This change removes the unnecessary Lazy annotaions, moving the lazy evaluation to VaadinWebSecurity.

Fixes #18458

Type of change

• Bugfix
• Feature

Checklist

• I have read the contribution guide: https://vaadin.com/docs/latest/guide/contributing/overview/
• I have added a description following the guideline.
• The issue is created in the corresponding repository and I have referenced it.
• I have added tests to ensure my change is effective and works as intended.
• New and existing tests are passing locally with my change.
• I have performed self-review and corrected misspellings.

Additional for Feature type of change

• Enhancement / new feature was discussed in a corresponding GitHub issue and Acceptance Criteria were created.

[github-actions]

Test Results

1 055 files  ± 0  1 055 suites  ±0   1h 13m 58s ⏱️ +19s
6 799 tests + 1  6 754 ✅ + 1  45 💤 ±0  0 ❌ ±0 
7 086 runs   - 14  7 030 ✅  - 14  56 💤 ±0  0 ❌ ±0 

Results for commit 124c117. ± Comparison against base commit 995caf0.

♻️ This comment has been updated with latest results.

[knoobie]

Would it also make sense to add proxyBeanMethods=false to the @Configuration so that all beans in that class aren't proxied? This would also ensure this isn't reintroduced by accident.

[mcollovati]

If I recall correctly, proxyBeanMethods=false prevents the configuration class to be proxied, not the exposed beans.
Anyway, it makes sense to set that flag, since we have no direct method calls in SpringSecurityAutoConfiguration

[knoobie]

I had the same assumption in the past :) until I've read the javadocs of the flag:

Specify whether @bean methods should get proxied in order to enforce bean lifecycle behavior, e.g. to return shared singleton bean instances even in case of direct @bean method calls in user code. This feature requires method interception, implemented through a runtime-generated CGLIB subclass which comes with limitations such as the configuration class and its methods not being allowed to declare final.

[mcollovati]

I read it as "configuration class is proxied so that bean methods will always return the same instance when called by other methods of the class". My understanding is that when, for example, you call annotatedViewAccessChecker() from another method inside the SpringSecurityAutoConfiguration class, it creates the instance at the first call, and subsequent invocation will return that one instead of a new instance how it would happen if the configuration class is not proxied.
So, SpringSecurityAutoConfiguration methods are proxied, but not their return value.
But I may be wrong. I'll double-check it

[knoobie]

Good thing to double check! I only remember an old issue where boot also switched all their configuration to false by default, also to increase performance: spring-projects/spring-boot#9068

[knoobie]

Before this is blocked: don't worry about it and do it later :)

[mcollovati]

I added the flag anyway, since it completely makes sense to avoid proxying in this case.
Thanks for pointing out 👍

[czp13]

Intellij like this version better:

Suggested change

	ObjectOutputStream out = new ObjectOutputStream(bs);
	try (ObjectOutputStream out = new ObjectOutputStream(bs)) {
	out.writeObject(instance);
	}

Maybe we could use it.

[mcollovati]

done

[czp13]

Thanks, Marco!

[czp13]

Thank you for the changes! 🙇 I believe most issues have been addressed, with only a minor code modification suggested. It's a very small change, so I am marking this as approved.

[sonarqubecloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud