Describe the bug spring-security:6.0.2 When SimpleAroundFilterObservation.wrap catched error, call error(ex); in catch block and stop(); in finally block. Both methods call scope.close().

https://github.com/spring-projects/spring-security/blob/7ef659a643e964fd091a9ee0e61ab3ba00309d0b/web/src/main/java/org/springframework/security/web/ObservationFilterChainDecorator.java#L276-L290

First TracingContext.scopes became empty. Second, TracingContext.getScope return null. So NullPointerException is caused.

Show the flow after scope.close() is called.

  1. scope.close() is called in catch block.
  2. io.micrometer.observation.SimpleObservation.SimpleScope.close() is called.
  3. io.micrometer.observation.SimpleObservation.notifyOnScopeClosed() is called.
  4. io.micrometer.tracing.handler.TracingObservationHandler.onScopeClosed() is called.
  5. tracingContext.getScope().close(); is called.
  6. After it, this block is called. > tracingContext.setSpanAndScope(span, () -> { > scope.close(); > tracingContext.setScope(previousScopeOnThisObservation); > });
  7. tracingContext.setScope(previousScopeOnThisObservation); set TracingContext.scopes empty because previousScopeOnThisObservation is null.
  8. When scope.close() is called for the second time in finally block, step 5 cause NullPointerException because tracingContext.getScope() return null.

To Reproduce spring-security:6.0.2 micrometer-tracing:1.0.2 spring-boot-actuater-autoconfigure:3.0.3

Expected behavior I think scope.close(); should be called only once. Or, should I fix micrometer-tracing?

Thank you for your support.

Comment From: jzheaux

Thanks, @kk-zu. Yes, I agree that close should only be called once. I will schedule this for the next maintenance release to get that corrected.