Disable bean proxying in configuration classes

Fixes gh-6967

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java

@@ -57,7 +57,7 @@ import java.util.stream.Collectors;
  * @since 3.2
  *
  */
-@Configuration
+@Configuration(proxyBeanMethods = false)
 @Import(ObjectPostProcessorConfiguration.class)
 public class AuthenticationConfiguration {
 

config/src/main/java/org/springframework/security/config/annotation/configuration/ObjectPostProcessorConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,7 +33,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
  * @author Rob Winch
  * @since 3.2
  */
-@Configuration
+@Configuration(proxyBeanMethods = false)
 public class ObjectPostProcessorConfiguration {
 
 	@Bean

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java

@@ -79,7 +79,7 @@ import org.springframework.util.Assert;
  * @since 3.2
  * @see EnableGlobalMethodSecurity
  */
-@Configuration
+@Configuration(proxyBeanMethods = false)
 public class GlobalMethodSecurityConfiguration
 		implements ImportAware, SmartInitializingSingleton, BeanFactoryAware {
 	private static final Log logger = LogFactory

config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MetadataSourceConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,7 +19,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
 
-@Configuration
+@Configuration(proxyBeanMethods = false)
 class Jsr250MetadataSourceConfiguration {
 
 	@Bean

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.java

@@ -38,7 +38,7 @@ import java.util.Arrays;
  * @author Tadaya Tsuyukubo
  * @since 5.0
  */
-@Configuration
+@Configuration(proxyBeanMethods = false)
 class ReactiveMethodSecurityConfiguration implements ImportAware {
 	private int advisorOrder;
 

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

@@ -58,7 +58,7 @@ final class OAuth2ClientConfiguration {
 		}
 	}
 
-	@Configuration
+	@Configuration(proxyBeanMethods = false)
 	static class OAuth2ClientWebMvcSecurityConfiguration implements WebMvcConfigurer {
 		private ClientRegistrationRepository clientRegistrationRepository;
 		private OAuth2AuthorizedClientRepository authorizedClientRepository;

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -63,7 +63,7 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn
  * @author Keesun Baik
  * @since 3.2
  */
-@Configuration
+@Configuration(proxyBeanMethods = false)
 public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
 	private WebSecurity webSecurity;
 

config/src/main/java/org/springframework/security/config/annotation/web/reactive/ReactiveOAuth2ClientImportSelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,7 +52,7 @@ final class ReactiveOAuth2ClientImportSelector implements ImportSelector {
 			new String[] {};
 	}
 
-	@Configuration
+	@Configuration(proxyBeanMethods = false)
 	static class OAuth2ClientWebFluxSecurityConfiguration implements WebFluxConfigurer {
 		private ReactiveClientRegistrationRepository clientRegistrationRepository;
 

config/src/main/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java

@@ -42,7 +42,7 @@ import org.springframework.web.reactive.result.method.annotation.ArgumentResolve
  * @author Dan Zheng
  * @since 5.0
  */
-@Configuration
+@Configuration(proxyBeanMethods = false)
 class ServerHttpSecurityConfiguration {
 	private static final String BEAN_NAME_PREFIX = "org.springframework.security.config.annotation.web.reactive.HttpSecurityConfiguration.";
 	private static final String HTTPSECURITY_BEAN_NAME = BEAN_NAME_PREFIX + "httpSecurity";

config/src/main/java/org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java

@@ -38,7 +38,7 @@ import org.springframework.web.reactive.result.view.AbstractView;
  * @author Rob Winch
  * @since 5.0
  */
-@Configuration
+@Configuration(proxyBeanMethods = false)
 class WebFluxSecurityConfiguration {
 	public static final int WEB_FILTER_CHAIN_FILTER_ORDER = 0 - 100;
 

config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.web.servlet.configuration
 import java.util.List;
 
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver;
 import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor;
@@ -37,6 +38,7 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
  * @author Rob Winch
  * @since 3.2
  */
+@Configuration(proxyBeanMethods = false)
 @EnableWebSecurity
 public class WebMvcSecurityConfiguration implements WebMvcConfigurer {
 

config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java

@@ -542,7 +542,7 @@ public class AuthenticationConfigurationTests {
 				.isInstanceOf(AlreadyBuiltException.class);
 	}
 
-	@Configuration(proxyBeanMethods = false)
+	@Configuration
 	static class AuthenticationConfigurationSubclass extends AuthenticationConfiguration {
 	}
 }

config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthenticationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,26 +17,30 @@ package org.springframework.security.config.annotation.authentication.configurat
 
 import static org.assertj.core.api.Assertions.assertThat;
 
+import org.junit.Rule;
 import org.junit.Test;
-import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.security.config.test.SpringTestRule;
 
 /**
  *
  * @author Rob Winch
  *
  */
-@RunWith(SpringJUnit4ClassRunner.class)
 public class EnableGlobalAuthenticationTests {
-	@Autowired
-	AuthenticationConfiguration auth;
+	@Rule
+	public final SpringTestRule spring = new SpringTestRule();
 
 	// gh-4086
 	@Test
 	public void authenticationConfigurationWhenGetAuthenticationManagerThenNotNull() throws Exception {
+		this.spring.register(Config.class).autowire();
+
+		AuthenticationConfiguration auth = spring.getContext().getBean(AuthenticationConfiguration.class);
+
 		assertThat(auth.getAuthenticationManager()).isNotNull();
 	}
 
@@ -50,4 +54,67 @@ public class EnableGlobalAuthenticationTests {
 		}
 	}
 
+	@Test
+	public void enableGlobalAuthenticationWhenNoConfigurationAnnotationThenBeanProxyingEnabled() {
+		this.spring.register(BeanProxyEnabledByDefaultConfig.class).autowire();
+
+		Child childBean = this.spring.getContext().getBean(Child.class);
+		Parent parentBean = this.spring.getContext().getBean(Parent.class);
+
+		assertThat(parentBean.getChild()).isSameAs(childBean);
+	}
+
+	@EnableGlobalAuthentication
+	static class BeanProxyEnabledByDefaultConfig {
+		@Bean
+		public Child child() {
+			return new Child();
+		}
+
+		@Bean
+		public Parent parent() {
+			return new Parent(child());
+		}
+	}
+
+	@Test
+	public void enableGlobalAuthenticationWhenProxyBeanMethodsFalseThenBeanProxyingDisabled() {
+		this.spring.register(BeanProxyDisabledConfig.class).autowire();
+
+		Child childBean = this.spring.getContext().getBean(Child.class);
+		Parent parentBean = this.spring.getContext().getBean(Parent.class);
+
+		assertThat(parentBean.getChild()).isNotSameAs(childBean);
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@EnableGlobalAuthentication
+	static class BeanProxyDisabledConfig {
+		@Bean
+		public Child child() {
+			return new Child();
+		}
+
+		@Bean
+		public Parent parent() {
+			return new Parent(child());
+		}
+	}
+
+	static class Parent {
+		private Child child;
+
+		Parent(Child child) {
+			this.child = child;
+		}
+
+		public Child getChild() {
+			return child;
+		}
+	}
+
+	static class Child {
+		Child() {
+		}
+	}
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java

@@ -557,7 +557,7 @@ public class GlobalMethodSecurityConfigurationTests {
 
 	@Test
 	public void methodSecurityInterceptorUsesMetadataSourceBeanWhenProxyingDisabled() {
-		this.spring.register(CustomMetadataSourceProxylessConfig.class).autowire();
+		this.spring.register(CustomMetadataSourceBeanProxyEnabledConfig.class).autowire();
 		MethodSecurityInterceptor methodInterceptor =
 				(MethodSecurityInterceptor) this.spring.getContext().getBean(MethodInterceptor.class);
 		MethodSecurityMetadataSource methodSecurityMetadataSource =
@@ -567,7 +567,7 @@ public class GlobalMethodSecurityConfigurationTests {
 	}
 
 	@EnableGlobalMethodSecurity(prePostEnabled = true)
-	@Configuration(proxyBeanMethods = false)
-	public static class CustomMetadataSourceProxylessConfig extends GlobalMethodSecurityConfiguration {
+	@Configuration
+	public static class CustomMetadataSourceBeanProxyEnabledConfig extends GlobalMethodSecurityConfiguration {
 	}
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfigurationTests.java

@@ -89,7 +89,7 @@ public class ReactiveMethodSecurityConfigurationTests {
 	}
 
 	@Test
-	public void rolePrefixWithGrantedAuthorityDefaultsAndSubclassWithProxyingDisabled() {
+	public void rolePrefixWithGrantedAuthorityDefaultsAndSubclassWithProxyingEnabled() {
 		this.spring.register(SubclassConfig.class).autowire();
 
 		TestingAuthenticationToken authentication = new TestingAuthenticationToken(
@@ -105,7 +105,7 @@ public class ReactiveMethodSecurityConfigurationTests {
 		assertThat(root.hasRole("ABC")).isTrue();
 	}
 
-	@Configuration(proxyBeanMethods = false)
+	@Configuration
 	static class SubclassConfig extends ReactiveMethodSecurityConfiguration {
 	}
 }

config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -122,4 +122,68 @@ public class EnableWebSecurityTests {
 			}
 		}
 	}
+
+	@Test
+	public void enableWebSecurityWhenNoConfigurationAnnotationThenBeanProxyingEnabled() {
+		this.spring.register(BeanProxyEnabledByDefaultConfig.class).autowire();
+
+		Child childBean = this.spring.getContext().getBean(Child.class);
+		Parent parentBean = this.spring.getContext().getBean(Parent.class);
+
+		assertThat(parentBean.getChild()).isSameAs(childBean);
+	}
+
+	@EnableWebSecurity
+	static class BeanProxyEnabledByDefaultConfig extends WebSecurityConfigurerAdapter {
+		@Bean
+		public Child child() {
+			return new Child();
+		}
+
+		@Bean
+		public Parent parent() {
+			return new Parent(child());
+		}
+	}
+
+	@Test
+	public void enableWebSecurityWhenProxyBeanMethodsFalseThenBeanProxyingDisabled() {
+		this.spring.register(BeanProxyDisabledConfig.class).autowire();
+
+		Child childBean = this.spring.getContext().getBean(Child.class);
+		Parent parentBean = this.spring.getContext().getBean(Parent.class);
+
+		assertThat(parentBean.getChild()).isNotSameAs(childBean);
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@EnableWebSecurity
+	static class BeanProxyDisabledConfig extends WebSecurityConfigurerAdapter {
+		@Bean
+		public Child child() {
+			return new Child();
+		}
+
+		@Bean
+		public Parent parent() {
+			return new Parent(child());
+		}
+	}
+
+	static class Parent {
+		private Child child;
+
+		Parent(Child child) {
+			this.child = child;
+		}
+
+		public Child getChild() {
+			return child;
+		}
+	}
+
+	static class Child {
+		Child() {
+		}
+	}
 }

config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java

@@ -406,7 +406,7 @@ public class WebSecurityConfigurationTests {
 	}
 
 	@Test
-	public void loadConfigWhenProxyingDisabledAndSubclassThenFilterChainsCreated() {
+	public void loadConfigWhenBeanProxyingEnabledAndSubclassThenFilterChainsCreated() {
 		this.spring.register(GlobalAuthenticationWebSecurityConfigurerAdaptersConfig.class, SubclassConfig.class).autowire();
 
 		FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
@@ -415,7 +415,7 @@ public class WebSecurityConfigurationTests {
 		assertThat(filterChains).hasSize(4);
 	}
 
-	@Configuration(proxyBeanMethods = false)
+	@Configuration
 	static class SubclassConfig extends WebSecurityConfiguration {
 	}
 

config/src/test/java/org/springframework/security/config/annotation/web/reactive/EnableWebFluxSecurityTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@ import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
@@ -367,4 +368,70 @@ public class EnableWebFluxSecurityTests {
 		buffer.write(body.getBytes(StandardCharsets.UTF_8));
 		return buffer;
 	}
+
+	@Test
+	public void enableWebFluxSecurityWhenNoConfigurationAnnotationThenBeanProxyingEnabled() {
+		this.spring.register(BeanProxyEnabledByDefaultConfig.class).autowire();
+
+		Child childBean = this.spring.getContext().getBean(Child.class);
+		Parent parentBean = this.spring.getContext().getBean(Parent.class);
+
+		assertThat(parentBean.getChild()).isSameAs(childBean);
+	}
+
+	@EnableWebFluxSecurity
+	@Import(ReactiveAuthenticationTestConfiguration.class)
+	static class BeanProxyEnabledByDefaultConfig {
+		@Bean
+		public Child child() {
+			return new Child();
+		}
+
+		@Bean
+		public Parent parent() {
+			return new Parent(child());
+		}
+	}
+
+	@Test
+	public void enableWebFluxSecurityWhenProxyBeanMethodsFalseThenBeanProxyingDisabled() {
+		this.spring.register(BeanProxyDisabledConfig.class).autowire();
+
+		Child childBean = this.spring.getContext().getBean(Child.class);
+		Parent parentBean = this.spring.getContext().getBean(Parent.class);
+
+		assertThat(parentBean.getChild()).isNotSameAs(childBean);
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@EnableWebFluxSecurity
+	@Import(ReactiveAuthenticationTestConfiguration.class)
+	static class BeanProxyDisabledConfig {
+		@Bean
+		public Child child() {
+			return new Child();
+		}
+
+		@Bean
+		public Parent parent() {
+			return new Parent(child());
+		}
+	}
+
+	static class Parent {
+		private Child child;
+
+		Parent(Child child) {
+			this.child = child;
+		}
+
+		public Child getChild() {
+			return child;
+		}
+	}
+
+	static class Child {
+		Child() {
+		}
+	}
 }

config/src/test/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfigurationTest.java

@@ -44,7 +44,7 @@ public class ServerHttpSecurityConfigurationTest {
 	}
 
 	@Test
-	public void loadConfigWhenProxyingDisabledAndSubclassThenServerHttpSecurityExists() {
+	public void loadConfigWhenProxyingEnabledAndSubclassThenServerHttpSecurityExists() {
 		this.spring.register(SubclassConfig.class, ReactiveAuthenticationTestConfiguration.class,
 				WebFluxSecurityConfiguration.class).autowire();
 		ServerHttpSecurity serverHttpSecurity = this.spring.getContext().getBean(ServerHttpSecurity.class);
@@ -52,7 +52,7 @@ public class ServerHttpSecurityConfigurationTest {
 		assertThat(serverHttpSecurity).isNotNull();
 	}
 
-	@Configuration(proxyBeanMethods = false)
+	@Configuration
 	static class SubclassConfig extends ServerHttpSecurityConfiguration {
 	}
 }

config/src/test/java/org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfigurationTests.java

@@ -44,7 +44,7 @@ public class WebFluxSecurityConfigurationTests {
 	}
 
 	@Test
-	public void loadConfigWhenProxyingDisabledAndSubclassThenWebFilterChainProxyExists() {
+	public void loadConfigWhenBeanProxyingEnabledAndSubclassThenWebFilterChainProxyExists() {
 		this.spring.register(ServerHttpSecurityConfiguration.class, ReactiveAuthenticationTestConfiguration.class,
 				WebFluxSecurityConfigurationTests.SubclassConfig.class).autowire();
 		WebFilterChainProxy webFilterChainProxy = this.spring.getContext().getBean(WebFilterChainProxy.class);
@@ -52,7 +52,7 @@ public class WebFluxSecurityConfigurationTests {
 		assertThat(webFilterChainProxy).isNotNull();
 	}
 
-	@Configuration(proxyBeanMethods = false)
+	@Configuration
 	static class SubclassConfig extends WebFluxSecurityConfiguration {
 	}
 }