Spring Security @EnableReactiveMethodSecurity causes premature initialization of the ObservationRegistry and prevents it from being post-processed

Describe the bug

@EnableReactiveMethodSecurity causes premature initialization of the ObservationRegistry and prevents it from being post-processed.

The preAuthorizeInterceptor bean defined in ReactiveAuthorizationManagerMethodSecurityConfiguration is an Advisor so it's created very early by the AOP infrastructure. It injects an ObjectProvider<ObservationRegistry> which should delay the creation of the ObservationRegistry. Unfortunately, this provider is passed into ReactiveAuthorizationManagerMethodSecurityConfiguration#manager which immediately calls getIfAvailable(). As a result the ObservationRegistry is created very early as part of setting up the AOP infrastructure and this prevents it from being post-processed.

To Reproduce

See the sample provided in https://github.com/spring-projects/spring-boot/issues/34366.

Expected behavior

@EnableReactiveMethodSecurity does not prevent the ObservationRegistry from being post-processed.

Sample

See the sample provided in https://github.com/spring-projects/spring-boot/issues/34366.

Comment From: cse050

Hi Josh,

thx for resolving this.

Would you know which spring boot release which will contain this change?

https://github.com/spring-projects/spring-security/commit/bbd31f0e331302155645802e5239474142487feb

Comment From: philwebb

@cse050 The fix will be in Spring Security 6.0.3 (check the milestone of this issue) which has not yet been released. Spring Security 6.0.3 is due to be released on April 17 which means it should be in Spring Boot 3.0.6