Describe the bug After upgrading to spring boot 3.1.2 (implicitly upgrading spring-security to 6.1.2), my applicatin no longer starts. The startup fails due to the following message:

Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'preFilterAuthorizationAdvisor' defined in class path resource [org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.class]: Cannot register bean definition [Root bean: class [org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=preFilterAuthorizationMethodInterceptor; initMethodNames=null; destroyMethodNames=[(inferred)]; defined in class path resource [org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.class]] for bean 'preFilterAuthorizationAdvisor' since there is already [Root bean: class [org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null;

First reported here: https://github.com/spring-projects/spring-boot/issues/36481

Downgrading to 6.1.1 works again.

To Reproduce - https://github.com/bratkartoffel/security-jwt-examples - Run the tests for the starter-cookies-jakarta module

Expected behavior The application startups up without errors.

Sample See To Reproduce section

Thanks, Simon

@paweleg fyi

Comment From: paweleg

Describe the bug After upgrading to spring boot 3.1.2 (implicitly upgrading spring-security to 6.1.2), my applicatin no longer starts. The startup fails due to the following message:

Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'preFilterAuthorizationAdvisor' defined in class path resource [org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.class]: Cannot register bean definition [Root bean: class [org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=preFilterAuthorizationMethodInterceptor; initMethodNames=null; destroyMethodNames=[(inferred)]; defined in class path resource [org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.class]] for bean 'preFilterAuthorizationAdvisor' since there is already [Root bean: class [org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null;

First reported here: spring-projects/spring-boot#36481

Downgrading to 6.1.1 works again.

To Reproduce

  • https://github.com/bratkartoffel/security-jwt-examples
  • Run the tests for the starter-cookies-jakarta module

Expected behavior The application startups up without errors.

Sample See To Reproduce section

Thanks, Simon

@paweleg fyi

Thanks @bratkartoffel

Comment From: jzheaux

Thanks for the report, @bratkartoffel. This appears to be a regression around having multiple @EnableMethodSecurity annotations. In the sample you provide, @EnableMethodSecurity is declared both in JwtSecurityConfig and SecurityJwtBaseAutoConfiguration.

Since this was possible before, I think it should remain possible, so I'll schedule this for the next release. That said, if you are able to remove one of the two @EnableMethodSecurity usages, I believe that such would alleviate the issue in your codebase. Indeed, when I excluded one of them and replaced it with a configuration class that did not have the extra @EnableMethodSecurity annotation, the tests passed.

Comment From: bratkartoffel

Thank you for the analysis. I'll try to implement the workaround for now and test the new release once it's available.