javaspringspring-bootkotlinspring-security

AnnotationConfigurationException since upgrade to Spring Boot 3/JDK 17


I have recently upgraded my Spring Boot Application to Spring Boot 3 (from 2.6.4), Kotlin 1.8.0 (from 1.7.20) and JDK 17 (from 11). Right now I'm facing AnnotationConfigurationExceptions caused by @PreAuthorize meta-annotations used on inherited repository-methods.

org.springframework.core.annotation.AnnotationConfigurationException: Found more than one annotation of type interface org.springframework.security.access.prepost.PreAuthorize attributed to public final java.util.List jdk.proxy2.$Proxy390.findAll() Please remove the duplicate annotations and publish a bean to handle your authorization logic.
        at org.springframework.security.authorization.method.AuthorizationAnnotationUtils.findUniqueAnnotation(AuthorizationAnnotationUtils.java:64)
        at org.springframework.security.authorization.method.PreAuthorizeExpressionAttributeRegistry.findPreAuthorizeAnnotation(PreAuthorizeExpressionAttributeRegistry.java:71)
        at org.springframework.security.authorization.method.PreAuthorizeExpressionAttributeRegistry.resolveAttribute(PreAuthorizeExpressionAttributeRegistry.java:61)
        at org.springframework.security.authorization.method.AbstractExpressionAttributeRegistry.lambda$getAttribute$0(AbstractExpressionAttributeRegistry.java:57)
        at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
        at org.springframework.security.authorization.method.AbstractExpressionAttributeRegistry.getAttribute(AbstractExpressionAttributeRegistry.java:57)
        at org.springframework.security.authorization.method.AbstractExpressionAttributeRegistry.getAttribute(AbstractExpressionAttributeRegistry.java:46)
        at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:63)
        at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:40)
        at org.springframework.security.authorization.ObservationAuthorizationManager.check(ObservationAuthorizationManager.java:55)
        at org.springframework.security.config.annotation.method.configuration.DeferringObservationAuthorizationManager.check(DeferringObservationAuthorizationManager.java:47)
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:252)
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
        at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89)

After some debugging, I found that Spring Security somehow reflects the single annotation multiple times. As soon as I move the methods from the base-repository to the actual repository, the exception does no longer appear.

I've got a base-repository implementing some common methods like findAll, findById, etc. and marking them accessible using the REST-API and restricting the access using the @HasRoleAdminOrHasReadCollectionPermission meta-annotation (following later):

@NoRepositoryBean
interface BaseRepository<T : BaseEntity> : CrudRepository<T, Long> {

    /* [...] */

    @RestResource
    @HasRoleAdminOrHasReadCollectionPermission
    override fun findAll(): List<T>

    /* [...] */

}

Second, the base-repository is implemented by the actual entity-repository:

@RepositoryRestResource(path = "categories", collectionResourceRel = "categories")
@Transactional(readOnly = true)
interface CategoryRepository : BaseRepository<Category> {

    /* [...] */

}

Third, here's the @HasRoleAdminOrHasReadCollectionPermission meta-annotation:

@Retention(AnnotationRetention.RUNTIME)
@Target(AnnotationTarget.CLASS, AnnotationTarget.FUNCTION)
@PreAuthorize("hasRole('$ROLE_ADMIN') or hasPermission($COLLECTION_TARGET, $DELETE_PERMISSION)")
annotation class HasRoleAdminOrHasDeleteCollectionPermission

I'm all out of ideas, looked through the Java files generated from Kotlin, nowhere are duplicated annotations. Hoping someone here can help me with that.

Edit: As requested, here's the Application-class and the class containing the security-config:

@SpringBootApplication(exclude = [ErrorMvcAutoConfiguration::class])
@ServletComponentScan
@EnableAsync
@EnableScheduling
class Application {
    companion object {
        val HOSTNAME = System.getenv("HOSTNAME")
        val TIMESTAMP = System.currentTimeMillis()

        /** Entry point, run with gradle `bootRun` task. */
        @JvmStatic
        fun main(args: Array<String>) {
            SpringApplication.run(Application::class.java, *args)
        }
    }
}
@Configuration
@EnableWebSecurity(debug = true)
@EnableMethodSecurity(prePostEnabled = true)
class SecurityConfig(
    private val environment: Environment,
    private val baseProperties: BaseProperties,
    private val accountService: AccountService,
    private val integrationService: IntegrationService,
    private val jwtService: JwtService,
    private val loginAttemptService: LoginAttemptService,
    private val handlerExceptionResolver: HandlerExceptionResolver
) {

    @Bean
    fun webSecurityCustomizer(): WebSecurityCustomizer =
        WebSecurityCustomizer { web: WebSecurity -> web.debug(true) }

    @Bean
    fun corsConfigurationSource(): CorsConfigurationSource {
        val configuration = CorsConfiguration()
        configuration.allowedOrigins = baseProperties.corsAllowedOrigins()
        configuration.allowedMethods = listOf(CorsConfiguration.ALL)
        configuration.allowedHeaders = listOf(CorsConfiguration.ALL)
        configuration.allowCredentials = true
        val source = UrlBasedCorsConfigurationSource()
        source.registerCorsConfiguration(ANY_PATH, configuration)
        return source
    }

    @Bean
    fun userDetailsService(): UserDetailsService =
        AccountUserDetailsService(accountService, integrationService)

    @Bean
    fun authenticationManager(
        http: HttpSecurity,
        userDetailsService: UserDetailsService
    ): AuthenticationManager {
        val authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder::class.java)

        val loginAttemptDaoAuthenticationProvider = LoginAttemptDaoAuthenticationProvider(loginAttemptService, userDetailsService)
        val jwtPreAuthenticationProvider = PreAuthenticatedAuthenticationProvider()

        jwtPreAuthenticationProvider.setPreAuthenticatedUserDetailsService(UserDetailsByNameServiceWrapper(userDetailsService))

        return authenticationManagerBuilder
            .userDetailsService(userDetailsService).and()
            .authenticationProvider(loginAttemptDaoAuthenticationProvider)
            .authenticationProvider(jwtPreAuthenticationProvider)
            .build()
    }

    @Bean
    fun filterChain(
        http: HttpSecurity,
        authenticationManager: AuthenticationManager,
        userDetailsService: UserDetailsService
    ): SecurityFilterChain {
        return http
            .requireSSL()
            .disableLocalHSTS()
            .enableCors()
            .enableStatelessCsrf()
            .statelessSessionManagement()
            .jwtAuthentication(authenticationManager)
            .setRequestRestrictions()
            .build()
    }

    private fun HttpSecurity.requireSSL(): HttpSecurity =
        requiresChannel().anyRequest().requiresSecure().and()

    private fun HttpSecurity.disableLocalHSTS(): HttpSecurity =
        if (environment.acceptsProfiles(Profiles.of(DEVELOPMENT, TESTING)))
            headers().httpStrictTransportSecurity().disable().and()
        else this

    private fun HttpSecurity.enableCors(): HttpSecurity =
        cors().and()

    private fun HttpSecurity.enableStatelessCsrf(): HttpSecurity =
        csrf().disable().addFilterBefore(StatelessCsrfFilter(), CsrfFilter::class.java)

    private fun HttpSecurity.statelessSessionManagement(): HttpSecurity =
        sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

    private fun HttpSecurity.jwtAuthentication(
        authenticationManager: AuthenticationManager
    ): HttpSecurity =
        addFilterBefore(JwtPreAuthenticatedProcessingFilter(authenticationManager, jwtService), UsernamePasswordAuthenticationFilter::class.java)
            .addFilterBefore(JwtCookiePreAuthenticationFilter(jwtService), UsernamePasswordAuthenticationFilter::class.java)
            .formLogin()
            .loginProcessingUrl(LOGIN_URL)
            .successHandler(JwtCookieAuthenticationSuccessHandler(jwtService))
            .failureHandler(AuthenticationFailureResolver(handlerExceptionResolver))
            .and()
            .logout()
            .logoutUrl(LOGOUT_URL)
            .logoutSuccessHandler(Http200LogoutSuccessHandler())
            .addLogoutHandler(JwtCookieLogoutHandler(jwtService))
            .and()

    private fun HttpSecurity.setRequestRestrictions(): HttpSecurity =
        authorizeHttpRequests {
            it.requestMatchers(HttpMethod.GET, ROOT_URL).permitAll()
                .requestMatchers([...])
                .anyRequest().denyAll().and()
        }
}


Solution

  • After some more debugging and reading through the migration-guide @varad posted I decided to implement custom authorization-managers which do not scan the annotations as thoroughly as Spring Security does.

    I posted the implementations of the custom method-security and authorization-managers on GitHub: https://gist.github.com/Lukas0610/5ac78a358276fa15b1ce7cdc0483988d

    Thanks for you help guys.