Bean Conflict Between webSocketAuthorizationManagerPostProcessor and objectPostProcessor in Spring Security Configuration

[waileong]

Describe the bug
The application fails to start due to a conflict between two beans required by the declare Bean SecurityFilterChain . The method expects a single bean, but two candidates are found:

1. webSocketAuthorizationManagerPostProcessor
   Defined in: WebSocketObservationConfiguration.class

2. objectPostProcessor
   Defined in: ObjectPostProcessorConfiguration.class

This conflict causes Spring to throw an error during startup, indicating an inability to resolve the ambiguity.

This issue occurs in Spring Security 6.4.2.

---

To Reproduce

1. Annotate a configuration class with @EnableWebSocketSecurity.
2. Declare the following method in your configuration class:

   @Bean
   public SecurityFilterChain customSecurityFilterChain(HttpSecurity http) throws Exception {
       // Configure security filter chain here
       return http.build();
   }
   

---

APPLICATION FAILED TO START

---

Description:

Method testSecurityFilterChain in com.example.springsecurityobjectpostprocessorconflict.TestSecurityConfig required a single bean, but 2 were found:
	- webSocketAuthorizationManagerPostProcessor: defined by method 'webSocketAuthorizationManagerPostProcessor' in class path resource [org/springframework/security/config/annotation/web/socket/WebSocketObservationConfiguration.class]
	- objectPostProcessor: defined by method 'objectPostProcessor' in class path resource [org/springframework/security/config/annotation/configuration/ObjectPostProcessorConfiguration.class]
	

Expected behavior
The application should start successfully without bean injection conflicts.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

[kalgon]

I have the same problem but the description is a bit different (it complains on WebSecurityConfiguration.setFilterChains()):

***************************
APPLICATION FAILED TO START
***************************

Description:

Parameter 0 of method setFilterChains in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a single bean, but 2 were found:
	- objectPostProcessor: defined by method 'objectPostProcessor' in class path resource [org/springframework/security/config/annotation/configuration/ObjectPostProcessorConfiguration.class]
	- webSocketAuthorizationManagerPostProcessor: defined by method 'webSocketAuthorizationManagerPostProcessor' in class path resource [org/springframework/security/config/annotation/web/socket/WebSocketObservationConfiguration.class]

This may be due to missing parameter name information

[vitalii-crm]

Any solution for this? In version 6.4.1, these two beans were also creating but did not cause such an exception.

[gncj]

@kalgon Same here with versions:

• spring boot: 3.4.1
• spring security: 6.4.2

***************************
APPLICATION FAILED TO START
***************************

Description:

Parameter 0 of method setFilterChains in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a single bean, but 2 were found:
	- objectPostProcessor: defined by method 'objectPostProcessor' in class path resource [org/springframework/security/config/annotation/configuration/ObjectPostProcessorConfiguration.class]
	- webSocketAuthorizationManagerPostProcessor: defined by method 'webSocketAuthorizationManagerPostProcessor' in class path resource [org/springframework/security/config/annotation/web/socket/WebSocketObservationConfiguration.class]

This may be due to missing parameter name information

Action:

Consider marking one of the beans as @Primary, updating the consumer to accept multiple beans, or using @Qualifier to identify the bean that should be consumed

[vitalii-crm]

@ngocnhan-tran1996 could you assist in this issue. hope it's after your changes #16113

[tomaszbadon]

Is there any known workaround for this issue?