Question1: In Spring Security, what exactly is the function
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
Spring Documentation States the below, but I am not sure I understand it clearly
To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
.
The ordering of various security features in Spring Security are as below as per my understanding (LowestValue i.e. Highest Precedence to Highest Value i.e. Lowest Precedence)
Ordered.HIGHEST_PRECEDENCE
= -2^31-1Access_Override_Order = Basic_Auth_Order -2
for Security Properties
Access_Override_Order = Basic_Auth_Order -1
for ManagementServerProperties
Basic_Auth_Order-2
= 2^31-7 Basic_Auth_Order = Ordered.Lowest_Precendence -5 = 2^31-5
Ordered.LOWEST_PRECEDENCE = 2^31
Question2 Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, should I use
I am currently using SecurityProperties ACCESS_OVERRIDE_ORDER
but based on the suggestion here to get ACTUATOR working I need to enable ManagementServerProperties ACCESS_OVERRIDE_ORDER
. Which one should I override if I want both working ?
Thanks.
SecurityProperties no longer defines the ACCESS_OVERRIDE_ORDER constant for the @Order annotation. However, Spring Boot no longer defines any security details if the application does, so we do not need the @Order annotation on the security @Configuration class and can be removed.
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
do?What it does is well explained in the documentation you quoted.
To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
.
But then WebSecurityConfigurerAdapter
, which has @Order(100)
, takes higher priority.
No.
You should be careful about this part autoconfigured features
. Using @EnableAutoConfiguration
which is a part of @SpringBootApplication
, a lot of things are auto-configured and 100
is not a auto-configured value but a hard-coded value on the WebSecurityConfigurerAdapter
class.
You can find order values used for auto-configuring for Spring Security in SecurityProperties
class and you can find out that the value of ACCESS_OVERRIDE_ORDER
is the lowest which means it takes the highest priority.
Where are they auto-confitured?
You can find that @Order(SecurityProperties.BASIC_AUTH_ORDER)
is used in SpringBootWebSecurityConfiguration
class.
Then when is the annotation @Order(100)
of WebSecurityConfigurerAdapter
used?
For example, if you disable the auto-configuring by adding @EnableWebSecurity
, the value would be used. As the value 100
takes too high priority, it'd be better to put @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
annotation in your custom class in the case.
Use ManagementServerProperties ACCESS_OVERRIDE_ORDER
.
It takes higher priority so you must use it if you want to override default rules for all end points. You can see how the values are set if you open the ManagementServerProperties
class.
In SecurityProperties
int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39
int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41
In ManagementServerProperties
int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36
int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35
In the comment, 39
means 21474839
, I've omitted the first 6 digits for readability.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With