Fix conflicting bean names between @EnableWebSecurity and @EnableWebSocketSecurity

[zyro23]

Describe the bug

***************************
APPLICATION FAILED TO START
***************************

Description:

The bean 'webAuthorizationManagerPostProcessor', defined in class path resource [org/springframework/security/config/annotation/web/configuration/ObservationConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/security/config/annotation/web/socket/WebSocketObservationConfiguration.class] and overriding is disabled.

Action:

Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true

the naming conflict is between:

• https://github.com/spring-projects/spring-security/blob/6.4.0-RC1/config/src/main/java/org/springframework/security/config/annotation/web/configuration/ObservationConfiguration.java#L48
• https://github.com/spring-projects/spring-security/blob/6.4.0-RC1/config/src/main/java/org/springframework/security/config/annotation/web/socket/WebSocketObservationConfiguration.java#L44

To Reproduce

• create an empty boot-3.4.0-RC1 app with spring-web, spring-security, spring-websocket
• add spring-security-messaging as dependency
• add @EnableWebSocketSecurity

Expected behavior

app starts

Sample

sample app will be referenced asap, thank you!

[ngocnhan-tran1996]

@zyro23

I add @EnableWebSocket to file *Application.java and app starts

[zyro23]

hmm.. just added @EnableWebSocket to DemoApplication from the sample app but still getting the same error?

(gradle-) cleaned the project, re-ran multiple times.

diff

```patch Index: src/main/java/com/example/demo/DemoApplication.java <+>UTF-8 =================================================================== diff --git a/src/main/java/com/example/demo/DemoApplication.java b/src/main/java/com/example/demo/DemoApplication.java --- a/src/main/java/com/example/demo/DemoApplication.java (revision 3ff50e46fc8852dc867b458892b65cb98b01f9a5) +++ b/src/main/java/com/example/demo/DemoApplication.java (date 1730308768835) @@ -3,7 +3,9 @@ import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.security.config.annotation.web.socket.EnableWebSocketSecurity; +import org.springframework.web.socket.config.annotation.EnableWebSocket; +@EnableWebSocket @EnableWebSocketSecurity @SpringBootApplication public class DemoApplication { ```

console out (same failure)

``` 2024-10-30T18:19:58.219+01:00 ERROR 15800 --- [demo] [ main] o.s.b.d.LoggingFailureAnalysisReporter : *************************** APPLICATION FAILED TO START *************************** Description: The bean 'webAuthorizationManagerPostProcessor', defined in class path resource [org/springframework/security/config/annotation/web/configuration/ObservationConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/security/config/annotation/web/socket/WebSocketObservationConfiguration.class] and overriding is disabled. Action: Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true 4 actionable tasks: 4 executed FAILURE: Build failed with an exception. ```

to make sure this is not a "runs-on-my-machine" kinda issue:

• i pushed a second branch enable-web-socket to the sample repo, enabled github actions and added @EnableWebSocket
  • https://github.com/zyro23/spring-security-16011/commit/a7dd7896311943add7bbdb9c8c01464f81cde18d
• the corresponding test workflow fails with the same error
  • https://github.com/zyro23/spring-security-16011/actions/runs/11599033133/job/32296266726#step:4:32

[ngocnhan-tran1996]

@zyro23

My bad, I work with wrong version, I confirm this version throws error

[kalgon]

Can this issue be investigated before the releases of spring-security 6.4.0 and spring-boot 3.4.0 scheduled for next week? This problem breaks applications using both web and web sockets stacks.

[jzheaux]

@kalgon, I'm sorry that this didn't get it before the 6.4 release. The fix will go out in the 6.4.1 release. I'll consult with the team to see if we can get it moved up.

In the meantime, are you able to set spring.main.allow-bean-definition-overriding to true?

If not, while not ideal, you can remove @EnableWebSocketSecurity, copy MessageMatcherAuthorizationManagerConfiguration and WebSocketMessageBrokerSecurityConfiguration into your project, and import them directly.

I've added https://github.com/spring-projects/spring-security-samples/issues/338 to catch things like this in the future.

[jzheaux]

Closed in favor of #16113