Skip to content

fix: register RequestUtil as a component for non-Boot Spring scans#24797

Open
totally-not-ai[bot] wants to merge 3 commits into
mainfrom
fix/request-util-component-annotation
Open

fix: register RequestUtil as a component for non-Boot Spring scans#24797
totally-not-ai[bot] wants to merge 3 commits into
mainfrom
fix/request-util-component-annotation

Conversation

@totally-not-ai

@totally-not-ai totally-not-ai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Annotate RequestUtil with @component so that applications relying on a
plain package scan of com.vaadin.flow.spring (e.g. Spring MVC apps that
set up the SpringServlet via a WebMvcConfigurer rather than the Spring
Boot auto-configuration) can find the bean. This mirrors the existing
VaadinDefaultRequestCache, which is both @Component-annotated and exposed
as a @bean from SpringSecurityAutoConfiguration.

Fixes #24796

@totally-not-ai
fix: register RequestUtil as a component for non-Boot Spring scans
480755d 
Annotate RequestUtil with @component so that applications relying on a
plain package scan of com.vaadin.flow.spring (e.g. Spring MVC apps that
set up the SpringServlet via a WebMvcConfigurer rather than the Spring
Boot auto-configuration) can find the bean. This mirrors the existing
VaadinDefaultRequestCache, which is both @Component-annotated and exposed
as a @bean from SpringSecurityAutoConfiguration.

Fixes #24796
@Artur- Artur- requested a review from heruan June 24, 2026 14:14
@mcollovati

mcollovati commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

IIRC we avoid using @Component to expose beans in favor of configuration classes.
@Component annotations are mostly used in applications rather than libraries.

But @heruan can for sure provide better insights.

@totally-not-ai
refactor: expose RequestUtil through a configuration class
2ba22ae 
Replace the @component annotation on RequestUtil with a dedicated
RequestUtilConfiguration @configuration class, following the convention
of exposing library beans through configuration classes rather than
stereotype annotations.

A plain component scan of com.vaadin.flow.spring does not pick up
SpringSecurityAutoConfiguration, since auto-configuration classes are
discovered through the auto-configuration imports mechanism instead. The
new configuration class is a regular component-scannable @configuration,
so applications relying on such a scan (for example a Spring MVC app that
registers the SpringServlet itself) get the RequestUtil bean. Both bean
definitions are now @ConditionalOnMissingBean so exactly one RequestUtil
is created when the configuration class and the auto-configuration are
both present.
@github-actions

github-actions Bot commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

Test Results

 1 453 files  ±0   1 453 suites  ±0   1h 26m 23s ⏱️ +6s
10 269 tests ±0  10 201 ✅ ±0  68 💤 ±0  0 ❌ ±0 
10 741 runs  ±0  10 672 ✅ ±0  69 💤 ±0  0 ❌ ±0 

Results for commit 2897758. ± Comparison against base commit fa16077.

♻️ This comment has been updated with latest results.

@totally-not-ai
docs: clarify SpringSecurityAutoConfiguration dependency requirement
2897758 
The Flow Spring Security beans (including RequestUtil) are only created
when spring-security-config is on the classpath, because the
configuration is gated by @ConditionalOnClass(WebSecurityCustomizer.class).
That dependency is optional in the Vaadin Spring support, so a project
that misses it silently gets none of these beans.

Document this on the class, and explain that non-Boot applications which
do not use the auto-configuration import mechanism should register the
configuration explicitly (for example via @import) rather than relying on
a plain component scan.

This reverts the earlier attempt to expose RequestUtil through a
component/configuration class, which is unnecessary once the required
dependency is present.
@totally-not-ai

totally-not-ai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Updated based on the findings in #24796: the root cause isn't a missing bean registration. SpringSecurityAutoConfiguration is gated by @ConditionalOnClass(WebSecurityCustomizer.class), and spring-security-config is an optional dependency of vaadin-spring — when it's absent the whole configuration (including RequestUtil) is silently skipped. With that dependency present, a regular component scan or @Import(SpringSecurityAutoConfiguration.class) already works, so no bean-exposure change is needed.

Accordingly I reverted the @Component/configuration-class approach and reduced this PR to documenting the requirement on SpringSecurityAutoConfiguration: the security beans need spring-security-config on the classpath, and non-Boot applications (which don't use the auto-configuration import mechanism) should register the class explicitly rather than rely on a plain component scan.

@sonarqubecloud

sonarqubecloud Bot commented Jun 24, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@heruan heruan Awaiting requested review from heruan

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

+0.0.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

vaadin-spring: missing @Component annotation

1 participant

@mcollovati