Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names

[rschlick]

Describe the bug

Open Telemetry Java Agent version 1.21 don't like the Instrument names produces by Spring Security 6.0 (from Class ObservationFilterChainDecorator)

Here is the WARNING Log :

WARN io.opentelemetry.ApiUsageLogging - Instrument name "spring.security.filterchains.DisableEncodeUrlFilter before" is invalid, returning noop instrument. Instrument names must consist of 63 or fewer characters including alphanumeric, _, ., -, and start with a letter.

The instrument name is produced by Spring Security there :

spring-security/web/src/main/java/org/springframework/security/web/ObservationFilterChainDecorator.java

Line 185 in 65b9dbf

parent.before().event(Observation.Event.of(this.name + " before"));

parent.before().event(Observation.Event.of(this.name + " before"));

I think this instrument name with a space in the name is not correct in term of good naming conventions or standard.

A bug ticket was opened in the Github of Open Telemetry Java Agent project : open-telemetry/opentelemetry-java-instrumentation#7448

They answered that the fix should be done in Spring Security project.

They believe :

that this sort of naming pattern (whitespaces) might not be accepted by at least some of the monitoring systems supported by Micrometer; it's not just OpenTelemetry that'll trip on this.

To Reproduce
Using a simple Spring Boot 3.0.1 project with Kotlin 1.7, JDK 17, Spring Boot 3.0.1 and Spring Security 6.0 and Maven.
Using Open Telemetry java Agent v 1.21.
Application is running in a docker container, but you can reproduce the problem with a java -jar springboot.jar -javaagent:opentelemetry-javaagent-all.jar

Docker File :

ARG OPENJDK_IMAGE=openjdk:17-slim-bullseye
ARG USER=app
ARG WORKDIR=/app
ARG OPENTELEMETRY_VERSION=1.21.0
ARG OPENTELEMETRY_REPO="https://github.com/open-telemetry/opentelemetry-java-instrumentation"
ARG OPENTELEMETRY_JAR_PATH="/releases/download/v${OPENTELEMETRY_VERSION}/opentelemetry-javaagent.jar"
ARG OPENTELEMETRY_JAR=opentelemetry-javaagent-all.jar

# Build
FROM busybox:stable AS builder

ARG USER
ARG WORKDIR
ARG OPENTELEMETRY_REPO
ARG OPENTELEMETRY_JAR_PATH
ARG OPENTELEMETRY_JAR

RUN addgroup ${USER} \
    && adduser -D -H -G ${USER} ${USER}

WORKDIR ${WORKDIR}

RUN wget -O ${OPENTELEMETRY_JAR} ${OPENTELEMETRY_REPO}${OPENTELEMETRY_JAR_PATH}

# Main
FROM ${OPENJDK_IMAGE}

ARG USER
ARG WORKDIR
ARG OPENTELEMETRY_JAR

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd

USER ${USER}:${USER}
WORKDIR ${WORKDIR}

ENV JAVA_TOOL_OPTIONS=-javaagent:${OPENTELEMETRY_JAR}
COPY --from=builder ${WORKDIR} .

Expected behavior

The expected behaviour is that Open Telemetry Java Agent doesn't create WARNING logs about Spring Security instrument names.

[pierre-filliolaud]

Hi @jzheaux , the instrument names is still invalid because the length is more than 63 characters.

Here is the stack trace:

WARN io.opentelemetry.ApiUsageLogging - Instrument name "spring.security.filterchains.SecurityContextHolderAwareRequestFilter.before" is invalid, returning noop instrument. Instrument names must consist of 63 or fewer characters including alphanumeric, _, ., -, and start with a letter. Returning noop instrument.

Test done with:
org.springframework.security:spring-security-web:6.0.2-SNAPSHOT
Regards