openrewrite
Recipe to address `unresolvable circular reference` upgrading to Spring Boot 2.7.18
What problem are you trying to solve?
Improve the Spring Security recipe that updates the class that extends WebSecurityConfigurerAdapter.
Sample application
The sample application is the spring-boot-blog-app. This is a fork of skarware/spring-boot-blog-app. The OpenRewrite maven plugin is defined in the pom.xml.
Branch before the upgrade:
https://github.com/nickdala/spring-boot-blog-app-java-copilot-upgrade-demo/tree/openrewrite-circular-reference-before
Branch after the upgrade using OpenRewrite
https://github.com/nickdala/spring-boot-blog-app-java-copilot-upgrade-demo/tree/openrewrite-circular-reference-after
What precondition(s) should be checked before applying this recipe?
A PasswordEncoder bean like the following defined in the class that extends WebSecurityConfigurerAdapter.
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public BCryptPasswordEncoder bcryptEncoder() {
return new BCryptPasswordEncoder();
}
}
Steps to reproduce
- Clone the repo spring-boot-blog-app-java-copilot-upgrade-demo
git clone https://github.com/nickdala/spring-boot-blog-app-java-copilot-upgrade-demo
cd spring-boot-blog-app-java-copilot-upgrade-demo
- (Optional) Open the project with VS Code and start the
Dev Container. Docker needs to be running.
code .
- Check out the branch
openrewrite-circular-reference-before
git checkout openrewrite-circular-reference-before
- Upgrade using maven
./mvnw rewrite:run
or
mvnw.cmd rewrite:run
- (Optional) Use Java 21. Below is an example of installing Java 21 using SDKMAN!. This is not optional if you're using the dev container.
sdk install java 21.0.5-tem
- Build and run the application
./mvnw clean package
./mvnw spring-boot:run
You will see the following error.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 11.282 s
[INFO] Finished at: 2025-01-15T12:39:31-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.springframework.boot:spring-boot-maven-plugin:2.7.18:run (default-cli) on project spring-boot-blog-app: Application finished with exit code: 1 -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Caused by: org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'webSecurityConfig': Requested bean is currently in creation: Is there an unresolvable circular reference?
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:355) ~[spring-beans-5.3.31.jar:5.3.31]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:227) ~[spring-beans-5.3.31.jar:5.3.31]
Describe the situation after applying the recipe
Step 1:
Move the method bcryptEncoder() in WebSecurityConfig.java to a separate class to create the BCryptPasswordEncoder instance.
@Configuration
public class PasswordEncoderConfig {
@Bean
BCryptPasswordEncoder bcryptEncoder() {
return new BCryptPasswordEncoder();
}
}
Step 2:
Pass the BCryptPasswordEncoder to the configureGlobal() method in WebSecurityConfig.
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder, BCryptPasswordEncoder passwordEncoder) throws Exception {
authenticationManagerBuilder
.jdbcAuthentication()
.usersByUsernameQuery(USERS_SQL_QUERY) // not really necessary, as users table follows default Spring Security User schema
.authoritiesByUsernameQuery(AUTHORITIES_SQL_QUERY) // a must as using customized authorities table, many to many variation
.dataSource(dataSource)
.passwordEncoder(passwordEncoder);
}
The complete code is in the branch openrewrite-circular-reference-after
Are you interested in [contributing this recipe to OpenRewrite]
Yes. I'm interested in collaborating with the community to verify the recipe and to ensure that we're accounting for any edge cases. Once that's done, I can lead the coding effort.
hi @nickdala ; thanks for the detailed analysis here! Help accounting for this case would indeed be appreciated. I wonder if this is perhaps best tackled with a separate ScanningRecipes that runs before WebSecurityConfigurerAdapter to move that password bean into a new configuration class, and replace the method invocation with an injected bean constructor argument. That way we can isolate this bit of logic, and it's valuable on it's own as well. @nmck257 might have some insights here as well based on his prior involvement with that Spring Security recipes.
Yeah, I believe that moving the encoder bean can happen independently of the broader WebSecurityConfigurerAdapter change, so putting it in a separate recipe feels valid.
Splitting a little further, maybe there should be:
- A reusable
Recipe/Visitorfor "prefer bean parameter injection over bean method invocation injection" - A
ScanningRecipefor "move password encoder beans to separate configuration class", which can also queue up an instance of the above visitor, configured to target this specific scenario
Or maybe the second item can even be genericized as a MoveBeanMethod recipe, with options such as bean name, bean type, declaring class, target declaring class, etc?
And maybe there are other beans besides the password encoder which might fall in this same category for the WebSecurityConfigurerAdapter?
