The Problem:
After upgrading from Spring Boot 3.2.0 to 3.2.1, a Spring Boot application fails to start due to an error associated with the creation of the ‘springSecurityFilterChain’ bean. The issue is related to changes in the WebMvcSecurityConfiguration
class in spring-security-config:6.2.1
, which caused an exception when instantiating WebMvcSecurityConfiguration$CompositeFilterChainProxy
. The error message indicates that the FilterChainProxy could not be found in the specified list of objects, resulting in the failure to initialize the security filter chain. The problem persists even after implementing suggested fixes for similar issues, such as disabling FormLoginConfigurer, disabling debug logs, and including the @EnableWebSecurity
and @Configuration
annotations. The goal is to resolve this issue and successfully start the Spring Boot application.
The Solutions:
Solution 1: Temporary workaround with Custom FilterChainProxy
This solution provides a temporary workaround for the issue by defining a custom FilterChainProxy
bean and a BeanDefinitionRegistryPostProcessor
to replace the default FilterChainProxy
bean with the custom one.
-
Define the
FilterChainProxy
Class:Create a custom
FilterChainProxy
class namedCompositeFilterChainProxy
that extendsFilterChainProxy
. This class contains a delegateFilter
for handling filter chain execution and aFilterChainProxy
field to access the original Spring Security filter chain. -
Provide the Bean Definition:
Inside the
CompositeFilterChainProxy
class, define a factory methodcreateDoFilterDelegate(List<? extends Filter> filters)
to create a delegateFilter
from the provided list of filters. Another methodfindFilterChainProxy(List<? extends Filter> filters)
is implemented to locate the actual Spring Security filter chain. -
Implement
afterPropertiesSet()
,doFilter()
, and Required Methods:Override
afterPropertiesSet()
to delegate the initialization to the Spring Security filter chain. ImplementdoFilter()
to call the delegateFilter
for handling filter chain execution. Override other necessary methods to delegate operations to the Spring Security filter chain. -
Register the Bean Definition Post Processor:
Define a static method
beanDefinitionRegistryPostProcessor()
that returns aBeanDefinitionRegistryPostProcessor
instance. In this method, set the bean class name forAbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME
toCompositeFilterChainProxy
. -
Add the
@Bean
Annotation:Annotate the
CompositeFilterChainProxy
class with@Bean
to register it as a Spring bean.
This temporary solution should allow Spring Boot to successfully start with the updated spring-security-config
version.
Q&A
What’s the cause of the problem?
It’s a bug in spring-security-config:6.2.1.
How can I fix it?
Use code provided in the answer.
Can I wait for the official fix?
Yes.