Spring Security spring-boot-starter-oauth2-client required when using csrf()

Summary

In a brand new Spring Boot 2.2.1 with Spring Security, when calling csrf() (import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf) without explicit import of spring-boot-starter-oauth2-client, compilation throws java.lang.RuntimeException: java.lang.NoClassDefFoundError: org.springframework.security.oauth2.jwt.Jwt$Builder

This looks exactly like https://github.com/spring-projects/spring-security/issues/4721

Actual Behavior

compileTestGroovy throws

startup failed:
General error during semantic analysis: java.lang.NoClassDefFoundError: org.springframework.security.oauth2.jwt.Jwt$Builder

java.lang.RuntimeException: java.lang.NoClassDefFoundError: org.springframework.security.oauth2.jwt.Jwt$Builder

Expected Behavior

Tests compile and run.

Adding to build.gradle

implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'

solved the issue

Configuration

An example minimal project is provided here: https://github.com/jakubnabrdalik/boot.2.2.1.csrf.error

Version

• Spring Boot 2.2.1.RELEASE
• Gradle 6.0
• openjdk version "11.0.5" (Zulu11.35+13-CA: build 11.0.5+10-LTS)

It used to work well in 2.1.9

Sample

An example is provided here: https://github.com/jakubnabrdalik/boot.2.2.1.csrf.error/blob/master/src/test/groovy/eu/solidcraft/hentairental/HentaiRentalApplicationTests.groovy

Comment From: jzheaux

@jakubnabrdalik I'm still looking into this. To give a quick update, this appears to behave fine in Java. For example, when I take your sample project and convert it to Java, then the tests and application operate fine.

I'll see if I can find out why Groovy projects are loading the class differently.

Comment From: jzheaux

@jakubnabrdalik a fix has been committed to master. Would you please try using 5.2.2.BUILD-SNAPSHOT to see if it fixes your issue and then reply here?

Comment From: jakubnabrdalik

After replacing the auth2-client with compile group: 'org.springframework', name: 'spring-core', version: '5.2.2.BUILD-SNAPSHOT' and adding https://repo.spring.io/snapshot, tests run all right

Which puzzles me a bit. You did a change in spring-security (https://github.com/spring-projects/spring-security/commit/7cbd1665a6ba5df01ab676db7d945b6599c2000a) but asked me to update the core to the latest snapshot? How come?

Comment From: jzheaux

My apologies, it wasn't my intent to ask you to update core. I should have said:

Would you please try using 5.2.2.BUILD-SNAPSHOT for spring-security-test to see if it fixes your issue and then reply here?

I'm supposing when you modified your pom, you also brought in spring-security-test 5.2.2.BUILD-SNAPSHOT? If so, great!