We are migrating our Spring Boot 1.5.7 application to Spring Boot 2 and I noticed that SecurityProperties.ACCESS_OVERRIDE_ORDER is not available anymore.
We were using @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)) to force a certain order of security config filters and it is not working without this annotation anymore (getting different statuses since the security filters are in a wrong order). Is there some replacement or configuration change to make it work in the old way?
We have basic auth + OAuth2 in place.
This is the OAuth2 dependency we use:
compile group: 'org.springframework.security.oauth', name: 'spring-security-oauth2', version: '2.1.0.RELEASE'
EDIT: this is my WebSecurity properties:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String LOGIN = "/login";
private static final String LOGOUT_SUCCESS = "/login?logout";
private final UserDetailsService userDetailsService;
private final AuthenticationManager authenticationManager;
public WebSecurityConfig(UserDetailsService userDetailsService, @Lazy AuthenticationManager authenticationManager) {
this.userDetailsService = userDetailsService;
this.authenticationManager = authenticationManager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
// enable cors
.cors().and()
.requestMatchers().antMatchers("/oauth/**", "/*").and()
// These from the above are secured by the following way
.authorizeRequests().antMatchers("/").permitAll()
// These from the rest are secured by the following way
.anyRequest().authenticated().and()
// Set login page
.formLogin().loginPage(LOGIN).permitAll().defaultSuccessUrl(PROFILE)
// Set logout handling
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS);
// @formatter:on
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
auth.userDetailsService(userDetailsService);
}
}
When accessing /user via REST, I expect to get 401 - Unauthorized without a valid token. Instead, I get 302 - Redirect to /login meaning that basic auth has higher priority. I am not sure how to fix this since any order I try to use does not work.
So, it turns out that the problem was not in my WebSecurity config but it was a bit more complex. Spring Security 5 requires clientSecret to be encrypted with BCrypt by default, which I was missing. Also, adding AuthenicationManager bean fixed the issue.
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
I have an example project with this functionality on github but I am going to improve it a bit to fix some additional issues.