Spring Security It's not possible to disable micrometer obversability

This is a continuation of https://github.com/spring-projects/spring-boot/issues/33275 As requested there, i will open an issue here.

It is currently not possible to disable micrometer observability. While the docs mention this

@Bean ObservationRegistryCustomizer<ObservationRegistry> noSpringSecurityObservations() { ObservationPredicate predicate = (name, context) -> name.startsWith("spring.security.") return (registry) -> registry.observationConfig().observationPredicate(predicate) }

That has a type because a "!" is missing => "!name.startsWith("spring.security.")" With the negation in place the application will juste crash. See exception below. Looking at the code, i guess the returned NOOP cannot be cast to the required FilterChainObservationContext which has more information. Funny enough spring security has some NOOP handling implemented in that class, but that does not prevent the stacktrace below.

java.lang.ClassCastException: class io.micrometer.observation.Observation$Context cannot be cast to class org.springframework.security.web.ObservationFilterChainDecorator$FilterChainObservationContext (io.micrometer.observation.Observation$Context and org.springframework.security.web.ObservationFilterChainDecorator$FilterChainObservationContext are in unnamed module of loader 'app') at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:179) ~[spring-security-web-6.0.0-RC2.jar:6.0.0-RC2]

Comment From: jzheaux

Thanks for the report, @goafabric. We'll get this prioritized for the next point release.

Comment From: jzheaux

In the meantime, I believe you can use a bean post processor to customize the FilterChainProxy instance:

@Component 
class FilterChainProxyPostProcessor implements BeanPostProcessor {
    @Override
    Object postProcessBeforeInitialization(Object bean, String beanName) {
        if (bean instanceof FilterChainProxy) {
            ((FilterChainProxy) bean).setFilterChainDecorator(new FilterChainProxy.VirtualFilterChainDecorator());
        }
        return bean;
    }
}

Comment From: goafabric

Using the suggested workaround i still get (with basic auth activated)

authenticate usernamepassword authorize request

Will this be gone with the final fix ?