Describe the bug

Spring Security 6.2.1 fails to register appropriate native image hints for:

  • HandlerMappingIntrospectorCachFilterFactoryBean
  • CompositeFilterChainProxy
2023-12-20T23:14:40.2636780Z Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#64b321b8': The program tried to reflectively invoke method org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$HandlerMappingIntrospectorCachFilterFactoryBean() without it being registered for runtime reflection. Add org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$HandlerMappingIntrospectorCachFilterFactoryBean() to the reflection metadata to solve this problem. See https://www.graalvm.org/latest/reference-manual/native-image/metadata/#reflection for help.
2023-12-20T23:14:40.2644450Z    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1316)
2023-12-20T23:14:40.2647440Z    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1201)
2023-12-20T23:14:40.2650750Z    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:561)
2023-12-20T23:14:40.2653600Z    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:521)
2023-12-20T23:14:40.2656830Z    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:407)
2023-12-20T23:14:40.2658540Z    ... 27 common frames omitted
2023-12-20T23:14:40.2666660Z Caused by: org.graalvm.nativeimage.MissingReflectionRegistrationError: The program tried to reflectively invoke method org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$HandlerMappingIntrospectorCachFilterFactoryBean() without it being registered for runtime reflection. Add org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$HandlerMappingIntrospectorCachFilterFactoryBean() to the reflection metadata to solve this problem. See https://www.graalvm.org/latest/reference-manual/native-image/metadata/#reflection for help.
2023-12-20T23:14:40.2674040Z    at org.graalvm.nativeimage.builder/com.oracle.svm.core.reflect.MissingReflectionRegistrationUtils.forQueriedOnlyExecutable(MissingReflectionRegistrationUtils.java:72)
2023-12-20T23:14:40.2676580Z    at java.base@21.0.1/java.lang.reflect.Constructor.acquireConstructorAccessor(Constructor.java:74)
2023-12-20T23:14:40.2678800Z    at java.base@21.0.1/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
2023-12-20T23:14:40.2681420Z    at java.base@21.0.1/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
2023-12-20T23:14:40.2683020Z    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:197)
2023-12-20T23:14:40.2685060Z    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:88)
2023-12-20T23:14:40.2687680Z    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1310)
2023-12-20T23:14:40.2689920Z    ... 31 common frames omitted

To Reproduce

# Need JDK 21
git clone --depth=1 git@github.com:apereo/cas.git
cd cas
chmod +x ./ci/tests/native/build.sh && ./ci/tests/native/build.sh

Expected behavior

  • Spring Security 6.2.0 seems to be immune to this problem.
  • Looks like the appropriate hint needs to be registered by the framework itself.

We can of course add this by referencing the type directly with something like this in Spring Boot, but that seems less than ideal:

var t1 = TypeReference.of("org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$HandlerMappingIntrospectorCachFilterFactoryBean");   
// add hints for the type
var t2 = TypeReference.of("org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy")
// add hints for the type

Comment From: marcusdacoregio

Thanks for the report @mmoayyed, this seems to be related to https://github.com/spring-projects/spring-security/issues/14362. I'm looking into a fix for this.

Comment From: marcusdacoregio

Hi, @mmoayyed. Thanks again for the report.

I just pushed a fix that adds the necessary hints. The SNAPSHOT should be available in a few minutes, it would be great if you could test and confirm if the fix worked?

Comment From: mmoayyed

Sure, thank you. To be clear, you meant 6.3.0-SNAPSHOT?

Comment From: marcusdacoregio

Either 6.3.0-SNAPSHOT, 6.2.2-SNAPSHOT or 6.1.7-SNAPSHOT should work.

Comment From: mmoayyed

Sure. I am testing with 6.2.2-SNAPSHOT at the moment. Will report back shortly. Thank you!

Comment From: mmoayyed

While we are on the subject, I think the following components should also be accounted for in native image hints:

  • CsrfToken should be registered as a serializable hint.
  • Subclasses of CsrfToken should be registered for reflection.
  • The following also should be registered for reflection hints: (BasicAuthenticationFilter, HandlerMappingIntrospectorRequestTransformer)

I have added hints for these already in my setup, but I figured you may want to know as well. If you'd like me to create a separate issue and provide logs, etc, please let me know.

Comment From: marcusdacoregio

Yes, please. Separate issues are better since this one is solved. It would be great if you could provide the minimal configuration where the native hint is needed as well.