Expected Behavior
WAN BeanPostProcessorChecker message may not out put. Current Behavior
almost all beans out put warn message like : 2023-11-28T17:59:42.291+08:00 WARN 18703 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'blockRepository' of type [jdk.proxy2.$Proxy156] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [projectingArgumentResolverBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies. Context
I upgrade code to spring boot 2.3,but let deprecated EnableGlobalMethodSecurity in code unfortunately。when run code, almost every beans out put message like above。 I don't define a BeanPostProcessor name ProjectingArgumentResolverBeanPostProcessor in my code. those WARN message seriously slowing down the startup speed. when upgrade EnableGlobalMethodSecurity to EnableMethodSecurity warn message gone. I put issue in spring-boot/issues/38558 and spring-data-jpa/issues/3244 and confirm the problem with peoples help 。 I create a minimal example and upload. checker.zip I think is a good idea to avoid the warnings when use deprecated EnableGlobalMethodSecurity annotation
Comment From: shivtrpm
@billschen That's good you made the WARNs disappear by upgrading to [EnableMethodSecurity]. But, in my case I do not use any such annotations. Yet, still get those warns. These warns were never on 3.0.5 from which I migrated to 3.2.1
Comment From: billschen
warns were never o
my be you can try to comment some config class to identify which class make to warn message out put.
Comment From: marcusdacoregio
Hi @billschen, thanks for the report. @shivtrpm if I understand correctly, you have the WARN logs but you are not using either @EnableGlobalMethodSecurity or @EnableMethodSecurity? If so, can you provide a minimal, reproducible sample?
Comment From: nikolay-hr
If you create a new project from https://start.spring.io/ using only Spring Boot 3.2.0 and adding spring-boot-starter-web-services a very simmilar warning shows up without adding annithing else:
WARN 11184 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.ws.config.annotation.DelegatingWsConfiguration' of type [org.springframework.ws.config.annotation.DelegatingWsConfiguration$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). The currently created BeanPostProcessor [annotationActionEndpointMapping] is declared through a non-static factory method on that class; consider declaring it as static instead.
Sorry for the off-topic but I saw this issue and didn't want open a new one.
Everything works fine but it is confusing why this warning shows up without adding any code or configuration into a clean new spring project.
Edit: The warning is coming from here
Comment From: jzheaux
Hi, @billschen. The reason that you see these warnings is due to the beans your application needs the expression handler to access.
Method interceptors are configured very early in the application context lifecycle, so when you do the following:
@Component
public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
public CustomMethodSecurityExpressionHandler(FooBarService fooBarService, BlockRepository blockRepository) {
this.fooBarService = fooBarService;
this.blockRepository = blockRepository;
}
// ...
}
It pushes the creation of FooBarService (and anything it depends on) and BlockRepository (and anything it depends on) into the same part of the application context lifecycle.
This step in the application context lifecycle is too early for bean post-processing, and thus the warning message for those beans.
Use beans in your annotations
My primary recommendation is to not use a custom expression handler. Instead, consider referencing your beans directly in your expressions like so:
@Component("authz")
public class AuthorizationFacade {
private final FooBarService foobar;
private final BlockRepository blocks;
// ...
public boolean hasRole(String role) {
// ... perform authorization logic
}
// ...
}
// ...
@PreAuthorize("@authz.hasRole('USER')")
This decouples your authorization logic from Spring Security as well as likely making it easier to test.
Declare Infrastructural Beans
The alternative way to resolve this is two-fold:
First, you need to declare your method handler as an infrastructural bean:
@Component
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
public class CustomMethodSecurityExpressionHandler ...
And second, either the other beans need to be infrastructural (doubtful) or they need to be accessed lazily by the expression handler as follows:
public CustomMethodSecurityExpressionHandler(ObjectProvider<FooBarService> fooBarService, ObjectProvider<BlockRepository> blockRepository) {
this.fooBarService = fooBarService;
this.blockRepository = blockRepository;
}
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
CustomMethodSecurityExpressionRoot root =
new CustomMethodSecurityExpressionRoot(authentication, fooBarService.getIfAvailable(), blockRepository.getIfAvailable());
root.setPermissionEvaluator(this.getPermissionEvaluator());
root.setTrustResolver(this.trustResolver);
root.setRoleHierarchy(this.getRoleHierarchy());
return root;
}
Can you please try these and tell me if one works for you?
Comment From: billschen
@jzheaux 👍 thank you very match! It works for me!. I agree the best solution is to not use a custom expression handler and consider referencing your beans directly in your expressions
Comment From: billschen
@billschen That's good you made the WARNs disappear by upgrading to [EnableMethodSecurity]. But, in my case I do not use any such annotations. Yet, still get those warns. These warns were never on 3.0.5 from which I migrated to 3.2.1 please contract me with email billschen@qq.com