Describe the bug
ServerHttpSecurityConfiguration defines a WebFluxConfigurer bean while also injecting a ReactiveAdapterRegistry. The ReactiveAdapterRegistry is defined by WebFluxConfigurationSupport but WebFluxConfigurationSupport also needs to be initialized with every WebFluxConfigurer bean. This creates a cycle between the two configuration classes. Framework is able to mask this cycle when the bean factory is configured to allow circular references. When circular references are prohibited, application context refresh fails with a BeanCurrentlyInCreationException.
To Reproduce
Run that attached sample with ./gradlew bootRun or import it into your IDE and run the main method.
Expected behavior
Spring Security can be used with WebFlux when the bean factory is configured to prohibit circular references.
Sample
webflux-security-dependency-cycle.zip
Comment From: eleftherias
Thanks @wilkinsona. It seems the underlying issue is https://github.com/spring-projects/spring-framework/issues/25166.
A workaround could be to move the authenticationPrincipalArgumentResolverConfigurer to a different configuration.
That would prevent the error on startup, but a cycle would still exist.
I will discuss with the team and provide an update.
Comment From: wilkinsona
Thanks for the update, Ria. It looks like https://github.com/spring-projects/spring-security/issues/8613 was an attempt to work around the underlying behaviour in Framework. I wonder if that could be taken a step further, perhaps by making authenticationPrincipalArgumentResolverConfigurer static?
Comment From: eleftherias
I wonder if that could be take a step further, perhaps by making authenticationPrincipalArgumentResolverConfigurer static?
Yes, that would fix it as well.
Comment From: eleftherias
Thanks for bringing this up @wilkinsona.
I went ahead and made authenticationPrincipalArgumentResolverConfigurer static, as you suggested.
Comment From: wilkinsona
Excellent. Thanks very much, @eleftherias.