Spring Security WebSecurityConfiguration is missing @CondidtionalOnClass on security-web classes

Describe the bug The spring-security-config modules defines an optional dependency on spring-security-web. However, in WebSecurityConfiguration it creates beans of types coming from spring-security-web, without the proper @ConditionalOnClass.

An example is the WebInvocationPrivilegeEvaluator class.

The actual stacktrace is the following:

java.lang.IllegalStateException: Failed to introspect Class [org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration] from ClassLoader [jdk.internal.loader.ClassLoaders$AppClassLoader@531d72ca]
    at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:483)
    at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:360)
    at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:417)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.lambda$getTypeForFactoryMethod$1(AbstractAutowireCapableBeanFactory.java:748)
    at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1740)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:747)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:680)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:651)
    at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1632)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:560)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:532)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:659)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:651)
    at org.springframework.context.support.AbstractApplicationContext.getBeansOfType(AbstractApplicationContext.java:1278)
    at org.springframework.boot.SpringApplication.getExitCodeFromMappedException(SpringApplication.java:865)
    at org.springframework.boot.SpringApplication.getExitCodeFromException(SpringApplication.java:853)
    at org.springframework.boot.SpringApplication.handleExitCode(SpringApplication.java:840)
    at org.springframework.boot.SpringApplication.handleRunFailure(SpringApplication.java:780)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:323)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1304)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1293)
    at com.netflix.thundercatsspringgrpc.ThunderCatsSpringGrpc.main(ThunderCatsSpringGrpc.java:10)
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/web/access/WebInvocationPrivilegeEvaluator
    at java.base/java.lang.Class.getDeclaredMethods0(Native Method)
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/web/access/WebInvocationPrivilegeEvaluator

To Reproduce Add spring-security-config to the classpath. Do not add spring-security-web.

Expected behavior Since spring-security-web is declared optional, it shouldn't be implicitly required. We ran into this in a setup where Spring Security is used for gRPC, but there is no web stack.

Comment From: marcusdacoregio

Hi @paulbakker, thanks for the report.

Are you using Spring Boot? The WebSecurityConfiguration bean should only be created when adding the @EnableWebSecurity to the configuration. If so, this problem is on Spring Boot's side. You can try excluding the auto-configuration that adds the @EnableWebSecurity to see if it fixes the problem.

@SpringBootApplication(exclude = SecurityAutoConfiguration.class)

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: paulbakker

Yes, it's Spring Boot, and yes, I think it's because @EnableWebSecurity is there. That makes it a bit of an unexpected use case I guess, but it might still be better to explicitly add the ConditionalOnClass?

Comment From: marcusdacoregio

I still do not follow exactly what you are proposing. Do your application has @EnableWebSecurity? @ConditionalOnClass is a Spring Boot annotation, therefore it makes more sense for them to add it if needed.

Can you provided a reproducible sample so we could understand better what is happening?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.