jamesfredley opened a new pull request, #1205: URL: https://github.com/apache/grails-spring-security/pull/1205
## Summary Adds `SecurityAutoConfigurationExcluder` implementing `AutoConfigurationImportFilter` to automatically exclude 7 Spring Boot security auto-configuration classes that conflict with the Grails Spring Security plugin. This eliminates the manual `spring.autoconfigure.exclude` entries that every Grails 7 user currently must add to `application.yml`. ## Feature Description The plugin [README](https://github.com/apache/grails-spring-security/blob/7.0.x/README.md#L53-L66) documents that Grails 7 requires 7 manual `spring.autoconfigure.exclude` entries: ```yaml spring: autoconfigure: exclude: - org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration - org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration - org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration - org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration - org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientAutoConfiguration - org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration - org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration ``` These exclusions are **always required** — not conditional or environment-specific. This boilerplate is easy to miss, hard to debug when forgotten, and should be handled automatically by the plugin. ## Implementation **Approach**: `AutoConfigurationImportFilter` SPI (stable since Spring Boot 1.5.0, used in 3.x) ### Why `AutoConfigurationImportFilter` over alternatives | Approach | Drawback | |----------|----------| | `EnvironmentPostProcessor` | `spring.autoconfigure.exclude` is a `List` — property sources cannot merge lists reliably ([Spring Boot #41669](https://github.com/spring-projects/spring-boot/issues/41669)). User's own exclusions would be overwritten. | | `@EnableAutoConfiguration(exclude=...)` on plugin class | Plugin uses `@Grails` annotation, can't also use `@EnableAutoConfiguration` | | Documentation-only (current approach) | Every user must copy 7 YAML lines; easy to miss | | **`AutoConfigurationImportFilter`** | **✓ Runs before bytecode is loaded (faster)**<br>**✓ Cannot be overridden by user config**<br>**✓ No property merging issues**<br>**✓ Used by established libraries (Redis OM Spring, TCC Transaction)** | ### Files Changed | File | Change | |------|--------| | `SecurityAutoConfigurationExcluder.groovy` | **NEW** — `AutoConfigurationImportFilter` implementation that returns `false` for the 7 conflicting auto-configurations | | `META-INF/spring.factories` | **NEW** — Registers the filter via SPI (filters still use `spring.factories` in Spring Boot 3.x, not `.imports`) | | `build.gradle` | Added `compileOnly 'org.springframework.boot:spring-boot-autoconfigure'` — always available at runtime in any Grails app | | `SecurityAutoConfigurationExcluderSpec.groovy` | **NEW** — 18 Spock tests covering all exclusions, preservation of non-security configs, mixed arrays, edge cases, and `spring.factories` registration | ### Test Coverage (18 tests, all pass) - 7 data-driven tests: each excluded auto-configuration is filtered out - 5 data-driven tests: non-security auto-configurations pass through - 1 test: mixed array of included/excluded classes - 1 test: empty array - 1 test: null metadata parameter - 1 test: all 7 known classes present in the exclusion set - 1 test: exclusion set is unmodifiable - 1 test: `spring.factories` registration is correct ### Backward Compatibility - Users who already have manual exclusions in their `application.yml` are unaffected — the filter and manual exclusions are independent mechanisms - No behavioral change for existing functionality - `spring-boot-autoconfigure` is added as `compileOnly` only — no new runtime dependency (it's always already present via Spring Boot starter) ## Example Application https://github.com/jamesfredley/grails-spring-security-autoconfig-exclusion A minimal Grails 7.0.7 app with spring-security configured (User/Role/UserRole domains, annotation-based security) that intentionally does NOT include the manual exclusions. The `/bugDemo/index` endpoint shows which auto-configuration classes are on the classpath and which beans are registered. ## Environment Information - **Grails**: 7.0.7 - **Spring Boot**: 3.5.10 - **Groovy**: 4.0.30 - **JDK**: 17 ## Version 7.0.x -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
