diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java index b83345b3a0..2029d45099 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java @@ -113,6 +113,7 @@ public class AuthenticationConfiguration { lazyTargetSource.setTargetBeanName(beanNamesForType[0]); lazyTargetSource.setBeanFactory(applicationContext); ProxyFactoryBean proxyFactory = new ProxyFactoryBean(); + proxyFactory = objectPostProcessor.postProcess(proxyFactory); proxyFactory.setTargetSource(lazyTargetSource); proxyFactory.setInterfaces(new Class[] { interfaceName, LazyBean.class }); return (T) proxyFactory.getObject(); diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy index c1dc0d9ef6..635bb387a5 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy @@ -15,7 +15,9 @@ */ package org.springframework.security.config.annotation.authentication.configuration; +import org.springframework.aop.framework.ProxyFactoryBean import org.springframework.beans.factory.annotation.Autowired +import org.springframework.context.ApplicationContext import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Import @@ -25,8 +27,9 @@ import org.springframework.security.access.annotation.Secured import org.springframework.security.authentication.AuthenticationManager import org.springframework.security.authentication.TestingAuthenticationToken import org.springframework.security.authentication.UsernamePasswordAuthenticationToken -import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.authentication.dao.DaoAuthenticationProvider import org.springframework.security.config.annotation.BaseSpringSpec +import org.springframework.security.config.annotation.ObjectPostProcessor import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration @@ -292,4 +295,34 @@ class AuthenticationConfigurationTests extends BaseSpringSpec { auth.authenticationProvider(provider) } } + + def "SEC-2531: AuthenticationConfiguration#lazyBean should use BeanClassLoader on ProxyFactoryBean"() { + setup: + ObjectPostProcessor opp = Mock() + Sec2531Config. opp = opp + loadConfig(Sec2531Config) + when: + AuthenticationConfiguration config = context.getBean(AuthenticationConfiguration) + config.getAuthenticationManager() + then: + 1 * opp.postProcess(_ as ProxyFactoryBean) >> { args -> + args[0] + } + } + + @Configuration + @Import(AuthenticationConfiguration) + static class Sec2531Config { + static ObjectPostProcessor opp + + @Bean + public ObjectPostProcessor objectPostProcessor() { + opp + } + + @Bean + public AuthenticationManager manager() { + null + } + } } \ No newline at end of file