Spring Boot 2 and migrating OAuth2 configuration

Question

We are migrating our Spring Boot 1.5.7 application to Spring Boot 2 and I noticed that SecurityProperties.ACCESS_OVERRIDE_ORDER is not available anymore.

We were using @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)) to force a certain order of security config filters and it is not working without this annotation anymore (getting different statuses since the security filters are in a wrong order). Is there some replacement or configuration change to make it work in the old way?

We have basic auth + OAuth2 in place.

This is the OAuth2 dependency we use:

compile group: 'org.springframework.security.oauth', name: 'spring-security-oauth2', version: '2.1.0.RELEASE'

EDIT: this is my WebSecurity properties:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  private static final String LOGIN = "/login";
  private static final String LOGOUT_SUCCESS = "/login?logout";

  private final UserDetailsService userDetailsService;
  private final AuthenticationManager authenticationManager;

  public WebSecurityConfig(UserDetailsService userDetailsService, @Lazy AuthenticationManager authenticationManager) {
    this.userDetailsService = userDetailsService;
    this.authenticationManager = authenticationManager;
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {

    // @formatter:off
    http
      // enable cors
      .cors().and()
      .requestMatchers().antMatchers("/oauth/**", "/*").and()
      // These from the above are secured by the following way
      .authorizeRequests().antMatchers("/").permitAll()
      // These from the rest are secured by the following way
      .anyRequest().authenticated().and()
      // Set login page
      .formLogin().loginPage(LOGIN).permitAll().defaultSuccessUrl(PROFILE)
      // Set logout handling
      .and().logout().logoutSuccessUrl(LOGOUT_SUCCESS);
      // @formatter:on

  }

  @Override
  public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManager);
    auth.userDetailsService(userDetailsService);
  }

}

When accessing /user via REST, I expect to get 401 - Unauthorized without a valid token. Instead, I get 302 - Redirect to /login meaning that basic auth has higher priority. I am not sure how to fix this since any order I try to use does not work.

Answer 1

Have same issue. Just for monkey patching (will investigate real meaning of @Order annotation later), I found what value has been assigned to ACCESS_OVERRIDE_ORDER in 1.5.* version from there https://docs.spring.io/spring-boot/docs/1.5.10.RELEASE/api/ , which appears to be @Order(2147483640)...