Michal Dvorak (Migrated from SEC-1593) said:
While it works fine in 3.0.3, with 3.1.0.M1, all beans referenced by security namespace are initialized before custom BeanPostProcessor are run. Tested on provider and entrypoint, but i assume its general problem.
Michal Dvorak said:
In short my config was
<security:http security="none" pattern="/resources/"/>
<security:http security="none" pattern="/static/"/>
<security:http access-denied-page="/static/error.html" entry-point-ref="entryPoint">
<security:custom-filter position="FORM_LOGIN_FILTER" ref="passwordAuthenticationFilter"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:logout logout-url="/logout/do" success-handler-ref="logoutSuccessHandler" invalidate-session="true"/>
Luke Taylor said:
Sorry, but I can't reproduce this. Both my custom AuthenticationEntryPoint and AuthenticationProvider are successfully post-processed in testing.
Could you provide a test case which reproduces the issue?
hmm, i failed to reproduce it on dummy project too. It may be some combination of libraries i use - it still happens on "full project". When i hit the time i'll need to upgrade spring security, i will investigate it further, and possibly ask to reopen this.
Thank you for your efforts, i'm just trying to make this great library better ;)
Thanks for the update. Let us know what you come up with. In the meantime, I'll keep a lookout for over-eager initialization issues.