Description
As part of our Spring efficiency effort, we have recently migrated almost all @Confguration in Spring Framework 5.2 and Spring Boot 2.2 to be usable without CGLIB proxies. It would be great for end users and consistent from a portfolio perspective if Spring Security 5.2 could do the same.
This Spring Framework commit introduced a new proxyBeanMethods boolean attribute on @Configuration that when set to false avoid to create a CGLIB proxy for configuration classes. To be able to use this new capability you "just" have to replace eventual @Bean method invocations that where relying on CGLIB by explicit method parameter that will be injected without proxy.
@bclozel did that work on Spring MVC and Spring WebFlux configuration via this commit. You can also take inspiration from Spring Boot autoconfigurations which have been almost all updated with @Configuration(proxyBeanMethods = false). As a bonus, this would make Spring Security configurations GraalVM native image friendly for free ;-)
A possible process is to manually look through each @Configuration annotated class, do a "find usage" on each @Bean annotated method, replace invocation by parameter injection, and turn each @Configuration to @Configuration(proxyBeanMethods = false). Notice that if you need more flexibility with the bean retrieved, you can leverage ObjectProvider<Foo> parameters like that.
Side notes: I found #6613 on a connected topic, but targeting Spring Security 6.0 which will be too late for what is discussed here. Notice also that we took the decision to do breaking changes to Spring MVC and WebFlux configuration classes given the fact this topic is high priority for the Spring Boot 2.2 release train.