[
https://issues.apache.org/jira/browse/SHIRO-743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17091231#comment-17091231
]
Chris Poulsen commented on SHIRO-743:
-------------------------------------
I've decided to remove shiro from our stack, so I'm not interesting in pursuing
this further. I guess a simple example is hard, as you would need multiple
"somewhat" complex things using post processors in play to illustrate this.
However eliminating all the early initialization warnings would probably fix
everything, as all post processors would have a chance to perform their tasks
before the application is setup (If I switch our app configuration to use the
spring security / keycloak profile, all the warnings go away).
I did dig a little deeper into the spring configurations, It seems like most of
the shiro beans are being forced into existence way earlier than necessary.
Some of the integration points between shiro and the application (db access
etc.) leads to the early initialization cascading out into application beans in
order for spring to be able to wire up the shiro bits properly. Too early
initialization of beans leads to some BeanPostProcessors not being setup
(jcache and propably many others) and have their chance to do their work on
some of those early initialized beans.
There are several usages BeanPostProcessors in the shiro code that I guess is
the main cause of this. It seems like shiro integration is (mis)using the post
processors to perform things like "collect all beans implementing Filter"
(happens in the BeanFactory mentioned in SHIRO-434) - Injecting a collection of
beans by type, is one of the features that spring supports out of the box, so
using a post processor for this, is probably asking for trouble.
There were also some processors that seem to attempt to wire up the EventBus
mechanism, again I would not expect this to be a job that requires post
processors - Spring has built in pub/sub functionality and beans requiring the
event bus, could simply declare it be injected, if one is not building on the
event mechanism in spring.
Generally speaking @Configuration classes should use static @Bean builders if
possible to allow spring to instantiate just the processors early and not
everything else that also is declared in there. There is some abstract config
super class that declares some of the post processors in a non-static way.
The more I dug into the shiro / spring integration the more worried I got, it
seems like the spring integration is overly complicated and using things like
the post processors to perform dependency injection is probably one of the root
causes for the subtle issues we are experiencing.
I was able to reduce the "not eligible for all postprocessors" warnings to some
degree, but at that point I had overwritten way too much of the shiro classes
without getting close to eliminating all the early initialization. (our app
went from 175 early init warnings to 72 before I stopped).
We are slowly in the process of moving all our authentication to a setup using
a dedicated OIDC server for all our products and installations, so I've decided
to add a simple spring security replacement for our shiro stuff - hoping that
the spring security people are able to use the spring container without the
same level of risk of breaking stuff other places in our apps, until we're
fully away from doing our own login pages, db checks etc.
> Spring bean post processing mishap
> ----------------------------------
>
> Key: SHIRO-743
> URL: https://issues.apache.org/jira/browse/SHIRO-743
> Project: Shiro
> Issue Type: Improvement
> Components: Integration: Spring, Realms , Web
> Affects Versions: 1.5.1
> Environment: Simple Spring Boot app (created with initializr). Added
> `org.apache.shiro:shiro-spring-boot-web-starter` dependency and created an
> simple realm.
> Reporter: Christian
> Assignee: Brian Demers
> Priority: Minor
>
> When starting the spring boot application you'll get an myriad of log
> messages from spring that some beans (most of them are shiro related) are not
> eligable for some bean post processors, log below.
> It seems like shiro is creating some configuration classes too early in the
> process while also requiring other beans. Maybe this is related to this
> issue: SHIRO-434
> This is not an show stopper, but it may cause some issues in the long term
> and the logs are not very pleasing when deploying such an application in
> production.
>
> {code:java}
> 2020-02-25 10:21:20.295 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'org.apache.shiro.spring.boot.autoconfigure.ShiroBeanAutoConfiguration' of
> type
> [org.apache.shiro.spring.boot.autoconfigure.ShiroBeanAutoConfiguration$$EnhancerBySpringCGLIB$$abf7113c]
> is not eligible for getting processed by all BeanPostProcessors (for
> example: not eligible for auto-proxying)
> 2020-02-25 10:21:20.393 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'org.apache.shiro.spring.boot.autoconfigure.ShiroAnnotationProcessorAutoConfiguration'
> of type
> [org.apache.shiro.spring.boot.autoconfigure.ShiroAnnotationProcessorAutoConfiguration$$EnhancerBySpringCGLIB$$ae8a4fe1]
> is not eligible for getting processed by all BeanPostProcessors (for
> example: not eligible for auto-proxying)
> 2020-02-25 10:21:20.520 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration'
> of type
> [org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration]
> is not eligible for getting processed by all BeanPostProcessors (for
> example: not eligible for auto-proxying)
> 2020-02-25 10:21:20.576 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'eventBus' of type
> [org.apache.shiro.event.support.DefaultEventBus] is not eligible for getting
> processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.705 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'org.apache.shiro.spring.config.web.autoconfigure.ShiroWebAutoConfiguration'
> of type
> [org.apache.shiro.spring.config.web.autoconfigure.ShiroWebAutoConfiguration$$EnhancerBySpringCGLIB$$d09371a6]
> is not eligible for getting processed by all BeanPostProcessors (for
> example: not eligible for auto-proxying)
> 2020-02-25 10:21:20.708 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'testRealm' of type
> [com.example.demo.TestRealm] is not eligible for getting processed by all
> BeanPostProcessors (for example: not eligible for auto-proxying)
> 2020-02-25 10:21:20.871 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'sessionStorageEvaluator' of
> type [org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-02-25 10:21:20.872 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'subjectDAO' of type
> [org.apache.shiro.mgt.DefaultSubjectDAO] is not eligible for getting
> processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.874 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'subjectFactory' of type
> [org.apache.shiro.web.mgt.DefaultWebSubjectFactory] is not eligible for
> getting processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.877 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'rememberMeCookieTemplate' of
> type [org.apache.shiro.web.servlet.SimpleCookie] is not eligible for getting
> processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.882 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'rememberMeManager' of type
> [org.apache.shiro.web.mgt.CookieRememberMeManager] is not eligible for
> getting processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.885 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'authenticationStrategy' of
> type [org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-02-25 10:21:20.886 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'authenticator' of type
> [org.apache.shiro.authc.pam.ModularRealmAuthenticator] is not eligible for
> getting processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.888 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'authorizer' of type
> [org.apache.shiro.authz.ModularRealmAuthorizer] is not eligible for getting
> processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.890 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'sessionManager' of type
> [org.apache.shiro.web.session.mgt.ServletContainerSessionManager] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-02-25 10:21:20.893 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'securityManager' of type
> [org.apache.shiro.web.mgt.DefaultWebSecurityManager] is not eligible for
> getting processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-02-25 10:21:20.929 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'authorizationAttributeSourceAdvisor' of type
> [org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor]
> is not eligible for getting processed by all BeanPostProcessors (for
> example: not eligible for auto-proxying)
> 2020-02-25 10:21:20.936 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'shiroFilterChainDefinition'
> of type
> [org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-02-25 10:21:20.942 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'requestContextFilter' of
> type
> [org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter] is
> not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-02-25 10:21:20.953 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration'
> of type
> [org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration]
> is not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-02-25 10:21:20.962 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'formContentFilter' of type
> [org.springframework.boot.web.servlet.filter.OrderedFormContentFilter] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-02-25 10:21:20.993 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'spring.http-org.springframework.boot.autoconfigure.http.HttpProperties' of
> type [org.springframework.boot.autoconfigure.http.HttpProperties] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-02-25 10:21:20.995 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'org.springframework.boot.autoconfigure.web.servlet.HttpEncodingAutoConfiguration'
> of type
> [org.springframework.boot.autoconfigure.web.servlet.HttpEncodingAutoConfiguration]
> is not eligible for getting processed by all BeanPostProcessors (for
> example: not eligible for auto-proxying)
> 2020-02-25 10:21:20.997 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean 'characterEncodingFilter' of
> type
> [org.springframework.boot.web.servlet.filter.OrderedCharacterEncodingFilter]
> is not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-02-25 10:21:21.008 INFO 22753 — [ main]
> trationDelegate$BeanPostProcessorChecker : Bean
> 'org.apache.shiro.spring.config.web.autoconfigure.ShiroWebFilterConfiguration'
> of type
> [org.apache.shiro.spring.config.web.autoconfigure.ShiroWebFilterConfiguration$$EnhancerBySpringCGLIB$$2fdd6dd]
> is not eligible for getting processed by all BeanPostProcessors (for
> example: not eligible for auto-proxying){code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
