Spring Security Invalid JavaBean property 'logoutHandlers' being accessed (warning in the logs)

Describe the bug I use Spring-Security and found a strange warning in my logs:

11:54:01,463 WARN org.springframework.beans.GenericTypeAwarePropertyDescriptor [GenericTypeAwarePropertyDescriptor.java:141] - Invalid JavaBean property 'logoutHandlers' being accessed! Ambiguous write methods found next to actually used [public void org.springframework.security.web.session.ConcurrentSessionFilter.setLogoutHandlers(org.springframework.security.web.authentication.logout.LogoutHandler[])]: [public void org.springframework.security.web.session.ConcurrentSessionFilter.setLogoutHandlers(java.util.List)]

Spring: 5.3.6 Spring-Security: 5.4.6

I checked the source-code of your ConcurrentSessionFilter and these methods are the problem: https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java

    public void setLogoutHandlers(LogoutHandler[] handlers) {
        this.handlers = new CompositeLogoutHandler(handlers);
    }

    /**
     * Set list of {@link LogoutHandler}
     * @param handlers list of {@link LogoutHandler}
     * @since 5.2.0
     */
    public void setLogoutHandlers(List<LogoutHandler> handlers) {
        this.handlers = new CompositeLogoutHandler(handlers);
    }

The LogoutSuccessHandler is called.

My configuration is

    <http use-expressions="true" once-per-request="false">
        <csrf disabled="true" />
        <access-denied-handler error-page="/accessdenied.jsf" />
        <intercept-url pattern="/home/**" access="hasRole('USER')" />
        <intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />

        <form-login login-page="/login.jsf" login-processing-url="/login_security_check" authentication-success-handler-ref="loginSuccessHandler" />
        <logout invalidate-session="false" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />

        <session-management invalid-session-url="/login.jsf">
            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login.jsf" session-registry-ref="sessionRegistry" />
        </session-management>
    </http>

To Reproduce Steps to reproduce the behavior.

Expected behavior No warning in the logs.

Sample 11:54:01,463 WARN org.springframework.beans.GenericTypeAwarePropertyDescriptor [GenericTypeAwarePropertyDescriptor.java:141] - Invalid JavaBean property 'logoutHandlers' being accessed! Ambiguous write methods found next to actually used [public void org.springframework.security.web.session.ConcurrentSessionFilter.setLogoutHandlers(org.springframework.security.web.authentication.logout.LogoutHandler[])]: [public void org.springframework.security.web.session.ConcurrentSessionFilter.setLogoutHandlers(java.util.List)]

Comment From: jgrandja

@netty-jawn This issue should be logged in Spring Framework since GenericTypeAwarePropertyDescriptor exists there and is the one logging the warning message.

However, I don't see this as an issue. If you want to suppress this warning message you could configure the logging framework to suppress that specific message or all logs in that class.