An unexpected dependency appeared for spring-security-config of spring-security-web

[me0x847206]

Describe the bug
I have a project which depends on the following spring security module:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
</dependency>

That project didn't need the spring-security-web library at all.

And suddenly, when I migrated project to the 7.0.0 version of spring framework, it started to fail with the following error:

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.web.servlet.HandlerExceptionResolver]: Factory method 'handlerExceptionResolver' threw exception with message: org/springframework/security/web/util/ThrowableAnalyzer
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:183)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:72)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:152)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
	... 48 more
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/web/util/ThrowableAnalyzer
	at org.springframework.security.config.annotation.method.configuration.AuthorizationProxyWebConfiguration$AccessDeniedExceptionResolver.<init>(AuthorizationProxyWebConfiguration.java:96)
	at org.springframework.security.config.annotation.method.configuration.AuthorizationProxyWebConfiguration.extendHandlerExceptionResolvers(AuthorizationProxyWebConfiguration.java:59)
	at org.springframework.web.servlet.config.annotation.WebMvcConfigurerComposite.extendHandlerExceptionResolvers(WebMvcConfigurerComposite.java:179)
	at org.springframework.web.servlet.config.annotation.DelegatingWebMvcConfiguration.extendHandlerExceptionResolvers(DelegatingWebMvcConfiguration.java:150)
	at org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport.handlerExceptionResolver(WebMvcConfigurationSupport.java:989)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:155)
	... 51 more
Caused by: java.lang.ClassNotFoundException: org.springframework.security.web.util.ThrowableAnalyzer
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:580)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:490)
	... 59 more

To Reproduce
no response

Expected behavior
I would really want to prevent adding the spring-security-web dependency for my project because of one single import line.

Sample
no response

[me0x847206]

CONTEXT

Actual change:

• line number 34 of the Propagate AccessDeniedException for Authorized Objects Returned from a Controller change.

Which was a fix for the following issue:

• Exceptions for Authorized Objects should propagate when returned from a Controller

[jzheaux]

Thanks, @me0x847206 for the report. I think the check in MethodSecuritySelector can be improved to confirm that spring-security-web is on the classpath before adding AuthorizationWebProxyConfiguration, which requires it.

[me0x847206]

Hi @jzheaux ,

Thanks for quick action.

Feel free )) to ignore my concern, but I wonder if the provided fix doesn't ignore/exclude method level security for web applications at all when the spring-security-web library is not on the class-path.

In my specific case, the project I referred to, a pure web project which uses method level security but which doesn't use any functionality from the spring-security-web library. Would such a project be negatively affected in a way?