Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security

Question1: In Spring Security, what exactly is the function

@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)

Spring Documentation States the below, but I am not sure I understand it clearly

To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).

The ordering of various security features in Spring Security are as below as per my understanding (LowestValue i.e. Highest Precedence to Highest Value i.e. Lowest Precedence)

  1. Ordered.HIGHEST_PRECEDENCE = -2^31-1
  2. WebSecurityConfigurerAdapter = 100 (Based on @Order(100) mentioned in Docs)
    1. Access_Override_Order = Basic_Auth_Order -2 for Security Properties
    2. Access_Override_Order = Basic_Auth_Order -1 for ManagementServerProperties Basic_Auth_Order-2 = 2^31-7
  3. Basic_Auth_Order = Ordered.Lowest_Precendence -5 = 2^31-5
  4. Ordered.LOWEST_PRECEDENCE = 2^31

Question2 Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, should I use

  • SecurityPropertiesACCESS_OVERRIDE_ORDER or
  • ManagementServerProperties ACCESS_OVERRIDE_ORDER ?

I am currently using SecurityProperties ACCESS_OVERRIDE_ORDER but based on the suggestion here to get ACTUATOR working I need to enable ManagementServerProperties ACCESS_OVERRIDE_ORDER. Which one should I override if I want both working ?

Thanks.

like image 825
HopeKing Avatar asked Aug 06 '17 07:08

HopeKing


2 Answers

SecurityProperties no longer defines the ACCESS_OVERRIDE_ORDER constant for the @Order annotation. However, Spring Boot no longer defines any security details if the application does, so we do not need the @Order annotation on the security @Configuration class and can be removed.

like image 120
Ajay Khetan Avatar answered Nov 15 '22 23:11

Ajay Khetan


Q1. Question1: In Spring Security, what exactly does the annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) do?

What it does is well explained in the documentation you quoted.

To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).

But then WebSecurityConfigurerAdapter, which has @Order(100), takes higher priority.

No.

You should be careful about this part autoconfigured features. Using @EnableAutoConfiguration which is a part of @SpringBootApplication, a lot of things are auto-configured and 100 is not a auto-configured value but a hard-coded value on the WebSecurityConfigurerAdapter class.

You can find order values used for auto-configuring for Spring Security in SecurityProperties class and you can find out that the value of ACCESS_OVERRIDE_ORDER is the lowest which means it takes the highest priority.

Where are they auto-confitured?

You can find that @Order(SecurityProperties.BASIC_AUTH_ORDER) is used in SpringBootWebSecurityConfiguration class.

Then when is the annotation @Order(100) of WebSecurityConfigurerAdapter used?

For example, if you disable the auto-configuring by adding @EnableWebSecurity, the value would be used. As the value 100 takes too high priority, it'd be better to put @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) annotation in your custom class in the case.

Q2. Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, what should I use

Use ManagementServerProperties ACCESS_OVERRIDE_ORDER.

It takes higher priority so you must use it if you want to override default rules for all end points. You can see how the values are set if you open the ManagementServerProperties class.

In SecurityProperties

int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39
int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41

In ManagementServerProperties

int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36
int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35

In the comment, 39 means 21474839, I've omitted the first 6 digits for readability.

like image 38
Sanghyun Lee Avatar answered Nov 15 '22 22:11

Sanghyun Lee