Error on project start after migration to Jmix 2.6.0

Congrats.

I have migrated my composite project but getting the following errors after migration:

2025-07-03T01:27:14.543+06:00  INFO 2066 --- [           main] o.s.s.quartz.LocalDataSourceJobStore     : JobStoreCMT initialized.
2025-07-03T01:27:14.543+06:00  INFO 2066 --- [           main] org.quartz.core.QuartzScheduler          : Scheduler meta-data: Quartz Scheduler (v2.5.0) 'quartzScheduler' with instanceId 'NON_CLUSTERED'
  Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
  NOT STARTED.
  Currently in standby mode.
  Number of jobs executed: 0
  Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
  Using job-store 'org.springframework.scheduling.quartz.LocalDataSourceJobStore' - which supports persistence. and is not clustered.

2025-07-03T01:27:14.543+06:00  INFO 2066 --- [           main] org.quartz.impl.StdSchedulerFactory      : Quartz scheduler 'quartzScheduler' initialized from an externally provided properties instance.
2025-07-03T01:27:14.543+06:00  INFO 2066 --- [           main] org.quartz.impl.StdSchedulerFactory      : Quartz scheduler version: 2.5.0
2025-07-03T01:27:14.543+06:00  INFO 2066 --- [           main] org.quartz.core.QuartzScheduler          : JobFactory set to: org.springframework.scheduling.quartz.SpringBeanJobFactory@778ad9b4
2025-07-03T01:27:14.612+06:00  INFO 2066 --- [           main] eclipselink.logging.all                  : EclipseLink, version: Eclipse Persistence Services - 4.0.6-2-jmix.v202506091129-92af6dc76d89b52ba99c91a8aff1809612ae7fd7
2025-07-03T01:27:15.132+06:00  INFO 2066 --- [           main] r$InitializeUserDetailsManagerConfigurer : Global AuthenticationManager configured with UserDetailsService bean with name main_UserRepository
2025-07-03T01:27:15.589+06:00  WARN 2066 --- [           main] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/VAADIN/push/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2025-07-03T01:27:15.592+06:00  WARN 2066 --- [           main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain': Cannot create inner bean '(inner bean)#2c7abf88' of type [org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$CompositeFilterChainProxy] while setting constructor argument with key [1]
2025-07-03T01:27:15.594+06:00  INFO 2066 --- [           main] o.s.s.quartz.SchedulerFactoryBean        : Shutting down Quartz Scheduler
2025-07-03T01:27:15.594+06:00  INFO 2066 --- [           main] org.quartz.core.QuartzScheduler          : Scheduler quartzScheduler_$_NON_CLUSTERED shutting down.
2025-07-03T01:27:15.594+06:00  INFO 2066 --- [           main] org.quartz.core.QuartzScheduler          : Scheduler quartzScheduler_$_NON_CLUSTERED paused.
2025-07-03T01:27:15.594+06:00  INFO 2066 --- [           main] org.quartz.core.QuartzScheduler          : Scheduler quartzScheduler_$_NON_CLUSTERED shutdown complete.
2025-07-03T01:27:15.602+06:00  INFO 2066 --- [           main] com.inteacc.main.InteaccApplication$1    : Closing JPA EntityManagerFactory for persistence unit 'main'
2025-07-03T01:27:15.603+06:00  INFO 2066 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Shutdown initiated...
2025-07-03T01:27:15.604+06:00  INFO 2066 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Shutdown completed.
2025-07-03T01:27:15.605+06:00  INFO 2066 --- [           main] o.apache.catalina.core.StandardService   : Stopping service [Tomcat]
2025-07-03T01:27:15.607+06:00  WARN 2066 --- [           main] o.a.c.loader.WebappClassLoaderBase       : The web application [ROOT] appears to have started a thread named [JNA Cleaner] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.base@17.0.14/java.lang.Object.wait(Native Method)
 java.base@17.0.14/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
 app//com.sun.jna.internal.Cleaner$CleanerThread.run(Cleaner.java:154)
2025-07-03T01:27:15.607+06:00  WARN 2066 --- [           main] o.a.c.loader.WebappClassLoaderBase       : The web application [ROOT] appears to have started a thread named [vaadin-dev-server-1] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.base@17.0.14/java.util.zip.Inflater.inflateBytesBytes(Native Method)
 java.base@17.0.14/java.util.zip.Inflater.inflate(Inflater.java:378)
 java.base@17.0.14/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:152)
 java.base@17.0.14/jdk.internal.loader.Resource.getBytes(Resource.java:126)
 java.base@17.0.14/jdk.internal.loader.URLClassPath$JarLoader$2.getBytes(URLClassPath.java:895)
 java.base@17.0.14/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:859)
 java.base@17.0.14/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
 java.base@17.0.14/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
 java.base@17.0.14/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
 java.base@17.0.14/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
 java.base@17.0.14/java.lang.ClassLoader.loadClass(ClassLoader.java:525)
 app//ch.qos.logback.classic.spi.ThrowableProxy.<init>(ThrowableProxy.java:68)
 app//ch.qos.logback.classic.spi.ThrowableProxy.<init>(ThrowableProxy.java:51)
 app//ch.qos.logback.classic.spi.LoggingEvent.<init>(LoggingEvent.java:145)
 app//ch.qos.logback.classic.Logger.buildLoggingEventAndAppend(Logger.java:424)
 app//ch.qos.logback.classic.Logger.filterAndLog_2(Logger.java:419)
 app//ch.qos.logback.classic.Logger.error(Logger.java:535)
 app//com.vaadin.flow.server.frontend.TaskRunNpmInstall.runNpmInstall(TaskRunNpmInstall.java:342)
 app//com.vaadin.flow.server.frontend.TaskRunNpmInstall.execute(TaskRunNpmInstall.java:115)
 app//com.vaadin.flow.server.frontend.NodeTasks.execute(NodeTasks.java:345)
 app//com.vaadin.base.devserver.startup.DevModeInitializer.runNodeTasks(DevModeInitializer.java:404)
 app//com.vaadin.base.devserver.startup.DevModeInitializer.lambda$initDevModeHandler$0(DevModeInitializer.java:338)
 app//com.vaadin.base.devserver.startup.DevModeInitializer$$Lambda$1423/0x0000007801ea0000.run(Unknown Source)
 java.base@17.0.14/java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1804)
 java.base@17.0.14/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
 java.base@17.0.14/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
 java.base@17.0.14/java.lang.Thread.run(Thread.java:840)
2025-07-03T01:27:15.607+06:00  WARN 2066 --- [           main] o.a.c.loader.WebappClassLoaderBase       : The web application [ROOT] appears to have started a thread named [vaadin-dev-server-2] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.base@17.0.14/jdk.internal.misc.Unsafe.park(Native Method)
 java.base@17.0.14/java.util.concurrent.locks.LockSupport.park(LockSupport.java:211)
 java.base@17.0.14/java.util.concurrent.CompletableFuture$Signaller.block(CompletableFuture.java:1864)
 java.base@17.0.14/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3465)
 java.base@17.0.14/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3436)
 java.base@17.0.14/java.util.concurrent.CompletableFuture.waitingGet(CompletableFuture.java:1898)
 java.base@17.0.14/java.util.concurrent.CompletableFuture.join(CompletableFuture.java:2117)
 app//com.vaadin.base.devserver.DevBundleBuildingHandler.waitForDevBundle(DevBundleBuildingHandler.java:105)
 app//com.vaadin.base.devserver.DevModeHandlerManagerImpl.lambda$initDevModeHandler$0(DevModeHandlerManagerImpl.java:113)
 app//com.vaadin.base.devserver.DevModeHandlerManagerImpl$$Lambda$1424/0x0000007801ea0490.run(Unknown Source)
 java.base@17.0.14/java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1804)
 java.base@17.0.14/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
 java.base@17.0.14/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
 java.base@17.0.14/java.lang.Thread.run(Thread.java:840)
2025-07-03T01:27:15.606+06:00 ERROR 2066 --- [in-dev-server-1] c.v.f.s.frontend.TaskUpdatePackages      : Error when running `npm install`

java.lang.InterruptedException: null
	at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:386) ~[na:na]
	at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073) ~[na:na]
	at com.vaadin.flow.server.frontend.TaskRunNpmInstall.consumeProcessOutput(TaskRunNpmInstall.java:423) ~[flow-server-24.7.5.jar:24.7.5]
	at com.vaadin.flow.server.frontend.TaskRunNpmInstall.runNpmInstall(TaskRunNpmInstall.java:318) ~[flow-server-24.7.5.jar:24.7.5]
	at com.vaadin.flow.server.frontend.TaskRunNpmInstall.execute(TaskRunNpmInstall.java:115) ~[flow-server-24.7.5.jar:24.7.5]
	at com.vaadin.flow.server.frontend.NodeTasks.execute(NodeTasks.java:345) ~[flow-server-24.7.5.jar:24.7.5]
	at com.vaadin.base.devserver.startup.DevModeInitializer.runNodeTasks(DevModeInitializer.java:404) ~[vaadin-dev-server-24.7.5.jar:na]
	at com.vaadin.base.devserver.startup.DevModeInitializer.lambda$initDevModeHandler$0(DevModeInitializer.java:338) ~[vaadin-dev-server-24.7.5.jar:na]
	at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1804) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:840) ~[na:na]

2025-07-03T01:27:15.612+06:00  INFO 2066 --- [           main] .s.b.a.l.ConditionEvaluationReportLogger : 

Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
2025-07-03T01:27:15.621+06:00 ERROR 2066 --- [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain': Cannot create inner bean '(inner bean)#2c7abf88' of type [org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$CompositeFilterChainProxy] while setting constructor argument with key [1]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.lambda$resolveValueIfNecessary$1(BeanDefinitionValueResolver.java:153) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:262) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:152) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:460) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:191) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:691) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:206) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1395) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1232) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1222) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1188) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1123) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:987) ~[spring-context-6.2.7.jar:6.2.7]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627) ~[spring-context-6.2.7.jar:6.2.7]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.5.0.jar:3.5.0]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:753) ~[spring-boot-3.5.0.jar:3.5.0]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439) ~[spring-boot-3.5.0.jar:3.5.0]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:318) ~[spring-boot-3.5.0.jar:3.5.0]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1362) ~[spring-boot-3.5.0.jar:3.5.0]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1351) ~[spring-boot-3.5.0.jar:3.5.0]
	at com.inteacc.main.InteaccApplication.main(InteaccApplication.java:65) ~[main/:na]
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2c7abf88': Cannot create inner bean '(inner bean)#2aa580dc' while setting constructor argument with key [1]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.lambda$resolveValueIfNecessary$1(BeanDefinitionValueResolver.java:153) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:262) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:152) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:460) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:191) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:691) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:206) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1395) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1232) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:407) ~[spring-beans-6.2.7.jar:6.2.7]
	... 29 common frames omitted
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2aa580dc' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Failed to instantiate [jakarta.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception with message: The FilterChainProxy contains two filter chains using the matcher Or [Or [Or [Ant [pattern='/rest/**']]], Or [Or [Ant [pattern='/sso/callback/**']]]]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:407) ~[spring-beans-6.2.7.jar:6.2.7]
	... 41 common frames omitted
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [jakarta.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception with message: The FilterChainProxy contains two filter chains using the matcher Or [Or [Or [Ant [pattern='/rest/**']]], Or [Or [Ant [pattern='/sso/callback/**']]]]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:199) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:88) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:168) ~[spring-beans-6.2.7.jar:6.2.7]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-6.2.7.jar:6.2.7]
	... 47 common frames omitted
Caused by: org.springframework.security.web.UnreachableFilterChainException: The FilterChainProxy contains two filter chains using the matcher Or [Or [Or [Ant [pattern='/rest/**']]], Or [Or [Ant [pattern='/sso/callback/**']]]]
	at org.springframework.security.config.annotation.web.builders.WebSecurityFilterChainValidator.checkForDuplicateMatchers(WebSecurityFilterChainValidator.java:77) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.web.builders.WebSecurityFilterChainValidator.validate(WebSecurityFilterChainValidator.java:48) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:178) ~[spring-security-web-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:351) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:98) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:354) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:132) ~[spring-security-config-6.5.0.jar:6.5.0]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:569) ~[na:na]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:171) ~[spring-beans-6.2.7.jar:6.2.7]
	... 50 common frames omitted


> Task :bootRun FAILED

[Incubating] Problems report is available at: file:///Users/mortoza/Projects/inteaccHCM_brac_2.6/inteacc/build/reports/problems/problems-report.html

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.12.1/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
92 actionable tasks: 28 executed, 64 up-to-date

FAILURE: Build failed with an exception.

Hi,

Do you have some custom SecurityFilterChain declared in your project?
Please check if they have overlapped url matchers.

It seems like Spring Security fixed\improved their validation process for this case since 6.5.0 (which is used by Jmix 2.6.0) - Add support checking same security matchers by franticticktick · Pull Request #16186 · spring-projects/spring-security · GitHub

Regards,
Ivan

Hi Ivan
Yes, I have used SSO key cloak including OpenID add-on.
Do you have any specific suggestions to address this issue?

Hi,

Please check your project-side SecurityFilterChain instances for duplicates in securityMatcher values (different SecurityFilterChain instances have the same securityMatcher value).

Also you can debug org.springframework.security.config.annotation.web.builders.WebSecurityFilterChainValidator#checkForDuplicateMatchers method and find what chains are considered as duplicates so we can find their origins.

Regards,
Ivan

Hi everyone,

This issue started occurring after upgrading to Jmix 2.6.0, but it can also happen if you create a brand-new project with both add-ons using Jmix 2.6.0.
I ran into the same error after adding both the Authorization Server and OpenID Connect add-ons to my project. When both are present, the application fails to start with a UnreachableFilterChainException.

The issue occurs because Spring Security detects two filter chains with the same request matcher, which causes a conflict. Here’s the relevant part of the code from WebSecurityFilterChainValidator that throws the exception:

if (chain instanceof DefaultSecurityFilterChain defaultChain) {
    if (defaultChain.getRequestMatcher().equals(filterChain.getRequestMatcher())) {
        throw new UnreachableFilterChainException(
            "The FilterChainProxy contains two filter chains using the matcher "
                + defaultChain.getRequestMatcher(),
            filterChain, defaultChain
        );
    }
}

image

Has anyone faced this and found a clean workaround or recommendation for handling both add-ons together?

Hi,

Yes, they introduced this validation in Spring Security 6.5.0 (Spring Boot 3.5.0) which is included into Jmix 2.6.0.

And each of those two add-ons mentioned by you creates security filter chain with the same dynamically generated matcher.

Created an issue - Duplicated request matcher in different SecurityFilterChain · Issue #4597 · jmix-framework/jmix · GitHub

Thanks.

Regards,
Ivan

Hi everyone,

Can you briefly describe your scenarios of usage of both add-ons ( Authorization Server and OpenID Connect) at the same time?
For now it looks like they are not designed to be used together (or at least has an issue).

Maybe you should disable one of them? More likely Authorization Server - you can use OIDC to get tokens for REST API (OpenID Connect :: Jmix Documentation).

Regards,
Ivan

Yes, your suggestion points in the right direction — I’m now using access tokens generated via the OIDC add-on instead of the Authorization Server.

Previously, I was using the Authorization Server add-on to generate tokens, but with the upgrade to Jmix 2.6, that setup no longer works out of the box when both add-ons are present. To get the application running, I had to disable the default Authorization Server configuration using:

jmix.authserver.use-default-resource-server-configuration=false

Then, I created a custom security configuration by copying everything from the Authorization Server add-on and adding a dummy request matcher to avoid conflicts:

RequestMatcher securityMatcher = new OrRequestMatcher(
    authenticatedRequestMatcher,
    anonymousRequestMatcher,
    new RegexRequestMatcher("^/never-match-dummy$", null)
);

However, this workaround only gets me so far. I’ve noticed that as long as this custom configuration is in place, tokens generated by the OIDC add-on don’t work correctly — the Authorization Server appears to take precedence and tries to validate them as if they were issued by itself.

So with Jmix 2.6, the reality is: if both add-ons are present, one must be disabled or fully isolated. Otherwise, the application won’t handle access tokens correctly.

Ideally, though — at least for one deployment of my app — I’d like to support access tokens from both add-ons simultaneously. This would allow teams that rely on the old Authorization Server-based method to transition gradually, rather than requiring everyone to switch at once.

Hi,

It’s partially correct - new Spring Security just introduced explicit validation of duplicated matchers, but it doesn’t mean this case was valid previously.
Only one chain can handle request so adding both add-ons should causes some kind of runtime issues anyway even before 2.6.0.

Did you previously use both add-ons at the same time (successfully)? What is your business scenarios related to them? Or you just switch from AS to OIDC?

We haven’t noticed any issues like that before so it seems no one use them both and it seems like they were initially designed to use separately.
But if there is some case which requires both of them - we need to take it into account.

Currently we researching the possibility to implement unified chain with dynamic token handling.

Regards,
Ivan

Hi Ivan,

Thanks for the clarification.

To answer your questions: yes, we did use both add-ons simultaneously before upgrading to Jmix 2.6, and it worked fine in practice. Our application was initially set up with the Authorization Server add-on handling access token generation, and when we added the OIDC add-on, it didn’t interfere — teams continued to get access tokens via the Authorization Server without needing to switch to OIDC.

Our main business scenario involves supporting multiple teams that rely on access tokens issued by the Authorization Server. The OIDC add-on was added later, primarily to provide compatibility and support new features, but there was no immediate need for teams to switch token providers.

Please let me know if you need any more details about our usage or environment.

Best regards,
Mustafa Gürcan Öztürk

I want to know about use cases after you added OIDC.

You keep using AS to get tokens (so you have some external clients what communicate with your app via REST).

But did you configure (and successfully used) some external IDP (e.g. Keycloak) via OIDC?
Because if you managed to use functionality of both add-ons (not just add the add-on) - that means one of those chains can handle both of them (or you “didn’t use it enough” to face some issues).

As an additional experiment please try to disable default configuration of each add-on (one at a time: jmix.oidc.use-default-jwt-configuration and jmix.authserver.use-default-resource-server-configuration) without adding custom chain and check if everything is Ok.

Regards,
Ivan

Hi Ivan,

You’re absolutely right—I should have mentioned earlier that I’m using Keycloak as an external IDP via the OIDC add-on. In fact, I’ve been using both the OIDC and Auth Server (AS) add-ons together for over 1.5 years—Keycloak for authentication and AS for issuing access tokens.

In my setup, it’s possible to generate tokens from both sources. However, by default, Jmix only fully supports tokens issued by the Auth Server. Just yesterday, I ran into the issue that to make Keycloak-issued access tokens work properly, I had to disable the default security configuration of the Auth Server.

I’m currently on leave and can’t confirm for sure, but it’s also possible that disabling the default OIDC configuration instead might be the better approach. I’ll test both scenarios when I’m back and share the results.

Thanks again for your insights and help!

1 Like

Hi,

Additional details.

I was confused a little at first, but this issue actually has quite limited scope.

How it works before 2.6.0 if you add both add-ons:

  1. Add-ons provides auto-configurations.
  2. Each auto-configuration creates similar SecurityFilterChain to protect API via Resource Server. The difference - OIDC configures JWT and Authorization Server configures opaque token.
  3. Multiple chains with the same matcher is incorrect, but not strictly forbidden.
  4. However, only one chain (the first matched) can handle request. But both of them have the same order so they will be ordered according to the order of processing of their auto-configuration.
  5. Auto-configurations also don’t have any order-specific adjustments so they will be ordered lexicographically.
  6. As a result - the chain from Authorization Server will handle those requests.

So in this case login via OIDC works because it’s not affected by any of these chains.

But you can’t use OIDC to work with protected API.
You still can get access token but you can’t use it because Resource Server is not configured to work with JWT acquired from OIDC IDP (it’s done in OIDC chain but request can’t get there).

So if you need to get access token you should get it via Authorization Server.
And that is your case.

After 2.6.0 it actually works the same way, but now there is a validation for chain with the same matchers.

So WA should be the following:

  • If you get access tokens via Authorization Server - disable the “opposite” default resource server configuration from OIDC (jmix.oidc.use-default-jwt-configuration=false). That emulates pre 2.6.0 behavior when only one chain handles requests - by removing “ignored” chain.
  • If you get access tokens via OIDC - disable the default resource server configuration from Authorization Server (jmix.authserver.use-default-resource-server-configuration=false). But in this case maybe just remove the add-on.

Regards,
Ivan