AnnotationConfigurationException since upgrade to Spring Boot 3/JDK 17
Question
I have recently upgraded my Spring Boot Application to Spring Boot 3 (from 2.6.4), Kotlin 1.8.0 (from 1.7.20) and JDK 17 (from 11). Right now I'm facing AnnotationConfigurationExceptions caused by @PreAuthorize meta-annotations used on inherited repository-methods.
org.springframework.core.annotation.AnnotationConfigurationException: Found more than one annotation of type interface org.springframework.security.access.prepost.PreAuthorize attributed to public final java.util.List jdk.proxy2.$Proxy390.findAll() Please remove the duplicate annotations and publish a bean to handle your authorization logic.
at org.springframework.security.authorization.method.AuthorizationAnnotationUtils.findUniqueAnnotation(AuthorizationAnnotationUtils.java:64)
at org.springframework.security.authorization.method.PreAuthorizeExpressionAttributeRegistry.findPreAuthorizeAnnotation(PreAuthorizeExpressionAttributeRegistry.java:71)
at org.springframework.security.authorization.method.PreAuthorizeExpressionAttributeRegistry.resolveAttribute(PreAuthorizeExpressionAttributeRegistry.java:61)
at org.springframework.security.authorization.method.AbstractExpressionAttributeRegistry.lambda$getAttribute$0(AbstractExpressionAttributeRegistry.java:57)
at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
at org.springframework.security.authorization.method.AbstractExpressionAttributeRegistry.getAttribute(AbstractExpressionAttributeRegistry.java:57)
at org.springframework.security.authorization.method.AbstractExpressionAttributeRegistry.getAttribute(AbstractExpressionAttributeRegistry.java:46)
at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:63)
at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:40)
at org.springframework.security.authorization.ObservationAuthorizationManager.check(ObservationAuthorizationManager.java:55)
at org.springframework.security.config.annotation.method.configuration.DeferringObservationAuthorizationManager.check(DeferringObservationAuthorizationManager.java:47)
at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:252)
at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89)
After some debugging, I found that Spring Security somehow reflects the single annotation multiple times. As soon as I move the methods from the base-repository to the actual repository, the exception does no longer appear.
I've got a base-repository implementing some common methods like findAll, findById, etc. and marking them accessible using the REST-API and restricting the access using the @HasRoleAdminOrHasReadCollectionPermission meta-annotation (following later):
@NoRepositoryBean
interface BaseRepository<T : BaseEntity> : CrudRepository<T, Long> {
/* [...] */
@RestResource
@HasRoleAdminOrHasReadCollectionPermission
override fun findAll(): List<T>
/* [...] */
}
Second, the base-repository is implemented by the actual entity-repository:
@RepositoryRestResource(path = "categories", collectionResourceRel = "categories")
@Transactional(readOnly = true)
interface CategoryRepository : BaseRepository<Category> {
/* [...] */
}
Third, here's the @HasRoleAdminOrHasReadCollectionPermission meta-annotation:
@Retention(AnnotationRetention.RUNTIME)
@Target(AnnotationTarget.CLASS, AnnotationTarget.FUNCTION)
@PreAuthorize("hasRole('$ROLE_ADMIN') or hasPermission($COLLECTION_TARGET, $DELETE_PERMISSION)")
annotation class HasRoleAdminOrHasDeleteCollectionPermission
I'm all out of ideas, looked through the Java files generated from Kotlin, nowhere are duplicated annotations. Hoping someone here can help me with that.
Edit: As requested, here's the Application-class and the class containing the security-config:
@SpringBootApplication(exclude = [ErrorMvcAutoConfiguration::class])
@ServletComponentScan
@EnableAsync
@EnableScheduling
class Application {
companion object {
val HOSTNAME = System.getenv("HOSTNAME")
val TIMESTAMP = System.currentTimeMillis()
/** Entry point, run with gradle `bootRun` task. */
@JvmStatic
fun main(args: Array<String>) {
SpringApplication.run(Application::class.java, *args)
}
}
}
@Configuration
@EnableWebSecurity(debug = true)
@EnableMethodSecurity(prePostEnabled = true)
class SecurityConfig(
private val environment: Environment,
private val baseProperties: BaseProperties,
private val accountService: AccountService,
private val integrationService: IntegrationService,
private val jwtService: JwtService,
private val loginAttemptService: LoginAttemptService,
private val handlerExceptionResolver: HandlerExceptionResolver
) {
@Bean
fun webSecurityCustomizer(): WebSecurityCustomizer =
WebSecurityCustomizer { web: WebSecurity -> web.debug(true) }
@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
val configuration = CorsConfiguration()
configuration.allowedOrigins = baseProperties.corsAllowedOrigins()
configuration.allowedMethods = listOf(CorsConfiguration.ALL)
configuration.allowedHeaders = listOf(CorsConfiguration.ALL)
configuration.allowCredentials = true
val source = UrlBasedCorsConfigurationSource()
source.registerCorsConfiguration(ANY_PATH, configuration)
return source
}
@Bean
fun userDetailsService(): UserDetailsService =
AccountUserDetailsService(accountService, integrationService)
@Bean
fun authenticationManager(
http: HttpSecurity,
userDetailsService: UserDetailsService
): AuthenticationManager {
val authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder::class.java)
val loginAttemptDaoAuthenticationProvider = LoginAttemptDaoAuthenticationProvider(loginAttemptService, userDetailsService)
val jwtPreAuthenticationProvider = PreAuthenticatedAuthenticationProvider()
jwtPreAuthenticationProvider.setPreAuthenticatedUserDetailsService(UserDetailsByNameServiceWrapper(userDetailsService))
return authenticationManagerBuilder
.userDetailsService(userDetailsService).and()
.authenticationProvider(loginAttemptDaoAuthenticationProvider)
.authenticationProvider(jwtPreAuthenticationProvider)
.build()
}
@Bean
fun filterChain(
http: HttpSecurity,
authenticationManager: AuthenticationManager,
userDetailsService: UserDetailsService
): SecurityFilterChain {
return http
.requireSSL()
.disableLocalHSTS()
.enableCors()
.enableStatelessCsrf()
.statelessSessionManagement()
.jwtAuthentication(authenticationManager)
.setRequestRestrictions()
.build()
}
private fun HttpSecurity.requireSSL(): HttpSecurity =
requiresChannel().anyRequest().requiresSecure().and()
private fun HttpSecurity.disableLocalHSTS(): HttpSecurity =
if (environment.acceptsProfiles(Profiles.of(DEVELOPMENT, TESTING)))
headers().httpStrictTransportSecurity().disable().and()
else this
private fun HttpSecurity.enableCors(): HttpSecurity =
cors().and()
private fun HttpSecurity.enableStatelessCsrf(): HttpSecurity =
csrf().disable().addFilterBefore(StatelessCsrfFilter(), CsrfFilter::class.java)
private fun HttpSecurity.statelessSessionManagement(): HttpSecurity =
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
private fun HttpSecurity.jwtAuthentication(
authenticationManager: AuthenticationManager
): HttpSecurity =
addFilterBefore(JwtPreAuthenticatedProcessingFilter(authenticationManager, jwtService), UsernamePasswordAuthenticationFilter::class.java)
.addFilterBefore(JwtCookiePreAuthenticationFilter(jwtService), UsernamePasswordAuthenticationFilter::class.java)
.formLogin()
.loginProcessingUrl(LOGIN_URL)
.successHandler(JwtCookieAuthenticationSuccessHandler(jwtService))
.failureHandler(AuthenticationFailureResolver(handlerExceptionResolver))
.and()
.logout()
.logoutUrl(LOGOUT_URL)
.logoutSuccessHandler(Http200LogoutSuccessHandler())
.addLogoutHandler(JwtCookieLogoutHandler(jwtService))
.and()
private fun HttpSecurity.setRequestRestrictions(): HttpSecurity =
authorizeHttpRequests {
it.requestMatchers(HttpMethod.GET, ROOT_URL).permitAll()
.requestMatchers([...])
.anyRequest().denyAll().and()
}
}
1 answers
solution1
0 2023-01-20 17:25:40
I would say it would make sense to make an experiment. Try to modify the @EnableMethodSecurity(prePostEnabled = true) into
@EnableMethodSecurity(prePostEnabled = true, proxyTargetClass= true)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Async only accepted Future and void as return type after upgrade to JDK 17 and Spring Boot 3
Spring Boot Application run failed : how to fix an AnnotationConfigurationException (nonexistent attribute)
Spring boot 2.7.2 with JDK 17 and SOAP Web service
Logging doesnt work with Spring boot 2.1.1 and JDK 11 upgrade
Upgrade Spring Boot app (using javax.persistence) to JDK 11
Define Bean in combination with @ConditionalOnMissingBean does not work since Spring Boot Upgrade
JDK 17 spring boot Unable to make private java.time.LocalDateTime
Spring Boot can't start on JDK 17 : module java.base does not "opens java.lang" to unnamed module
JDK17 + Spring Boot Starter Web Services: Implementation of JAXB-API has not been found on module path or classpath
Spring Boot Upgrade to Latest
Related Tags