Spring Circular Dependency vaadinRolePrefixHolder

djarnis73 commented 8 months ago

Description of the bug

After bumping our vaadin dependency from 24.2.4 to 24.3.2 we are seeing the following error when running with oauth2 (through spring-cloud-azure-starter-active-directory). Spring boot is version 3.1.7.

Spring boot fails to start with the following error:

APPLICATION FAILED TO START

Description:

The dependencies of some of the beans in the application context form a cycle:

┌─────┐
|  securityConfiguration (field private com.vaadin.flow.spring.security.VaadinRolePrefixHolder com.vaadin.flow.spring.security.VaadinWebSecurity.vaadinRolePrefixHolder)
↑     ↓
|  vaadinRolePrefixHolder defined in class path resource [com/vaadin/flow/spring/SpringSecurityAutoConfiguration.class]
└─────┘

Action:

Relying upon circular references is discouraged and they are prohibited by default. Update your application to remove the dependency cycle between beans. As a last resort, it may be possible to break the cycle automatically by setting spring.main.allow-circular-references to true.

If I add a @Bean that supplies a VaadinRolePrefixHolder, then I still get a circular dependency:

┌──->──┐
|  securityConfiguration (field private com.vaadin.flow.spring.security.VaadinRolePrefixHolder com.vaadin.flow.spring.security.VaadinWebSecurity.vaadinRolePrefixHolder)
└──<-──┘

It will start when setting spring.main.allow-circular-references to true but that is undesirable.

I'm hoping someone can spot the issue without a full reproducer application, but I will try to hack one together if needed.

Best regards Jens

Expected behavior

Application should start without having to set spring.main.allow-circular-references to true.

Minimal reproducible example

Will create a reproducer if required, but I suspect this is an easily to spot bug with an easy fix.

Versions

Flow: 24.3.2 Vaadin: 24.3.2 Java: Eclipse Adoptium 17.0.9 OS: aarch64 Mac OS X 14.2.1 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0 Live reload: Java active (Spring Boot Devtools): Front end active

IDE (if applicable): IntelliJ IDEA 2023.3.2 (Ultimate Edition)

mcollovati commented 8 months ago

Unfortunately, I am unable to replicate the issue. Anyway, two considerations:

Vaadin 24.3 targets Spring Boot 3.2
If you are defining the VaadinRolePrefixHolder bean in a class extending VaadinWebSecurity, you should make sure that the defining method is declared as static to prevent circular dependencies

mcollovati commented 8 months ago

@djarnis73 are you by any chance defining a GrantedAuthorityDefaults bean in a configuration class extending VaadinWebSecurity?

djarnis73 commented 8 months ago

Yes I do have the following:

@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
    return new GrantedAuthorityDefaults("");
}

In a @Configuration class that extends VaadinWebSecurity, I can easily move it to a different configuration class though.

mcollovati commented 8 months ago

Or you can make the method static. It should work as well

djarnis73 commented 8 months ago

I can confirm that making the method static resolves the issue.

mcollovati commented 8 months ago

@djarnis73 Thanks for feedback.

I think that it may be worth it to add a note on the documentation about potential circular references and how to fix it

mcollovati commented 2 months ago

Closing, as the circular references note has been added to the documentation in vaadin/docs#2953

vaadin / flow