Question1: In Spring Security, what exactly is the function
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
Spring Documentation States the below, but I am not sure I understand it clearly
To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).
The ordering of various security features in Spring Security are as below as per my understanding (LowestValue i.e. Highest Precedence to Highest Value i.e. Lowest Precedence)
Ordered.HIGHEST_PRECEDENCE= -2^31-1- WebSecurityConfigurerAdapter = 100 (Based on @Order(100) mentioned in Docs)
Access_Override_Order = Basic_Auth_Order -2for Security PropertiesAccess_Override_Order = Basic_Auth_Order -1for ManagementServerPropertiesBasic_Auth_Order-2= 2^31-7
Basic_Auth_Order = Ordered.Lowest_Precendence -5 = 2^31-5Ordered.LOWEST_PRECEDENCE = 2^31
Question2 Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, should I use
- SecurityPropertiesACCESS_OVERRIDE_ORDER or
- ManagementServerProperties ACCESS_OVERRIDE_ORDER ?
I am currently using SecurityProperties ACCESS_OVERRIDE_ORDER but based on the suggestion here to get ACTUATOR working I need to enable ManagementServerProperties ACCESS_OVERRIDE_ORDER. Which one should I override if I want both working ?
Thanks.
Q1. Question1: In Spring Security, what exactly does the annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) do?
What it does is well explained in the documentation you quoted.
To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).
But then WebSecurityConfigurerAdapter, which has @Order(100), takes higher priority.
No.
You should be careful about this part autoconfigured features. Using @EnableAutoConfiguration which is a part of @SpringBootApplication, a lot of things are auto-configured and 100 is not a auto-configured value but a hard-coded value on the WebSecurityConfigurerAdapter class.
You can find order values used for auto-configuring for Spring Security in SecurityProperties class and you can find out that the value of ACCESS_OVERRIDE_ORDER is the lowest which means it takes the highest priority.
Where are they auto-confitured?
You can find that @Order(SecurityProperties.BASIC_AUTH_ORDER) is used in SpringBootWebSecurityConfiguration class.
Then when is the annotation @Order(100) of WebSecurityConfigurerAdapter used?
For example, if you disable the auto-configuring by adding @EnableWebSecurity, the value would be used. As the value 100 takes too high priority, it'd be better to put @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) annotation in your custom class in the case.
Q2. Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, what should I use
Use ManagementServerProperties ACCESS_OVERRIDE_ORDER.
It takes higher priority so you must use it if you want to override default rules for all end points. You can see how the values are set if you open the ManagementServerProperties class.
In SecurityProperties
int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39
int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41
In ManagementServerProperties
int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36
int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35
In the comment, 39 means 21474839, I've omitted the first 6 digits for readability.