@EnableReactiveMethodSecurity / Prometheus HTTP metrics missing on Spring Boot 3.0.3

[janchristian-haddorp]

Starting with Spring Boot 3.0.3 the annotation @EnableReactiveMethodSecurity causes problems on Prometheus metrics (httpserver and httpclient are missing).

Normally http://localhost:8080/actuator/prometheus will include several http metrics. When adding @EnableReactiveMethodSecurity to security config all these metrics disappear. Spring Boot 3.0.2 and earlier didn't show this effect.

Expected metrics / missing with Spring Boot 3.0.3

# HELP http_server_requests_seconds  
# TYPE http_server_requests_seconds summary
http_server_requests_seconds_count{error="none",exception="none",method="GET",outcome="SUCCESS",status="200",uri="/actuator/prometheus",} 1.0
http_server_requests_seconds_sum{error="none",exception="none",method="GET",outcome="SUCCESS",status="200",uri="/actuator/prometheus",} 0.055534666
# HELP http_server_requests_seconds_max  
# TYPE http_server_requests_seconds_max gauge
http_server_requests_seconds_max{error="none",exception="none",method="GET",outcome="SUCCESS",status="200",uri="/actuator/prometheus",} 0.055534666

Sample security config

package com.example.demo;

import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Slf4j
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
        return http.authorizeExchange(exchangeSpec -> exchangeSpec
                        .pathMatchers("/**").permitAll())
                .build();
    }
}

Gradle dependencies

plugins {
    id 'java'
    id 'org.springframework.boot' version '3.0.3'
    id 'io.spring.dependency-management' version '1.1.0'
}

group = 'com.example'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '17'

configurations {
    compileOnly {
        extendsFrom annotationProcessor
    }
}

repositories {
    mavenCentral()
}

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-actuator'
    implementation 'org.springframework.boot:spring-boot-starter-webflux'
    implementation 'org.springframework.boot:spring-boot-starter-security'
    compileOnly 'org.projectlombok:lombok'
    runtimeOnly 'io.micrometer:micrometer-registry-prometheus'
    annotationProcessor 'org.projectlombok:lombok'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    testImplementation 'io.projectreactor:reactor-test'
}

Workaround Remove @EnableReactiveMethodSecurity annotation if not explicit needed.

[marcusdacoregio]

Hi @janchristian-haddorp, I believe this is a duplicate of https://github.com/spring-projects/spring-security/issues/12780.

Can you test if Spring Security 6.0.3-SNAPSHOT fixes that problem?

I'll close this as a duplicate but feel free to continue the discussion if your scenario is different.

[janchristian-haddorp]

@marcusdacoregio, thanks for the update. Yes, using following libs fixes the problem...

implementation 'org.springframework.security:spring-security-core:6.0.3-SNAPSHOT'
implementation 'org.springframework.security:spring-security-config:6.0.3-SNAPSHOT'