Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security Configuration @Order not unique exception

I've tried to register multiple filters in my Spring Security Configuration, however I always get the same exception:

04-Nov-2015 14:35:23.792 WARNING [RMI TCP Connection(3)-127.0.0.1] org.springframework.web.context.support.AnnotationConfigWebApplicationContext.refresh Exception encountered during context initialization - cancelling refresh attempt org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Injection of autowired dependencies failed; nested exception is java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used, so it cannot be used on com.payment21.webapp.MultiHttpSecurityConfig$ApiWebSecurityConfigurationAdapter$$EnhancerBySpringCGLIB$$35c79fe4@1d381684 too.

Since my own attempts didn't work, I tried the exact same code as shown in the Spring Security reference:

@EnableWebSecurity public class MultiHttpSecurityConfig {     @Autowired     public void configureGlobal(AuthenticationManagerBuilder auth) {          auth             .inMemoryAuthentication()                 .withUser("user").password("password").roles("USER").and()                 .withUser("admin").password("password").roles("USER", "ADMIN");     }      @Configuration     @Order(1)                                                             public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {         protected void configure(HttpSecurity http) throws Exception {             http                 .antMatcher("/api/**")                                                .authorizeRequests()                     .anyRequest().hasRole("ADMIN")                     .and()                 .httpBasic();         }     }      @Configuration                                                        public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {          @Override         protected void configure(HttpSecurity http) throws Exception {             http                 .authorizeRequests()                     .anyRequest().authenticated()                     .and()                 .formLogin();         }     } } 

To isolate the error I tried to replace the web.xml by a Java based approach, but it didn't work either. I have no idea what's wrong, is the doc wrong? Can something in my application mess with the configuation? System is starting up properly, unless I register a second WebSecurityConfigAdapter.

Those are my dependencies:

compile 'org.springframework:spring-webmvc:4.2.2.RELEASE' compile 'org.springframework:spring-messaging:4.2.2.RELEASE' compile 'org.springframework:spring-websocket:4.2.2.RELEASE' compile 'org.springframework:spring-aop:4.2.2.RELEASE' compile'javax.servlet:javax.servlet-api:3.0.1' compile 'org.springframework.security:spring-security-web:4.0.3.RELEASE' compile 'org.springframework.security:spring-security-config:4.0.3.RELEASE' 
like image 375
Journeycorner Avatar asked Nov 04 '15 14:11

Journeycorner


People also ask

What is @order in Spring Security?

The @Order annotation defines the sorting order of an annotated component or bean. It has an optional value argument which determines the order of the component; the default value is Ordered. LOWEST_PRECEDENCE. This marks that the component has the lowest priority among all other ordered components.

What is @order in spring boot?

@Order defines the sort order for an annotated component. The value() is optional and represents an order value as defined in the Ordered interface. Lower values have higher priority. The default value is Ordered. LOWEST_PRECEDENCE , indicating the lowest priority (losing to any other specified order value).

Is WebSecurityConfigurerAdapter deprecated?

From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.

How does spring boot handle Access Denied exception?

Since this is an exception handling, we are using the Spring security . excepTionHandling() method and telling that we like to handle the access denied use case by passing custom access denied handler to the accessDeniedHandler() method ( . exceptionHandling(). accessDeniedHandler(accessDeniedHandler() ).


2 Answers

Maybe you have annotated another class with the @EnableWebSecurity annotation. Be aware that only one class can implement this annotation. Hope that will help!

like image 110
Guchelkaben Avatar answered Sep 25 '22 06:09

Guchelkaben


It may be worth noting, the @Order annotation should be at the class level. This is a bit confusing since @Journeycorner configuration is a multiclass example. My example with imports :)

import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;  import com.someco.entity.User; import com.someco.service.SpringDataJpaUserDetailsService;  @Configuration("CustomSecurityConfig") @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(1000)                                                         public class SecurityConfiguration extends WebSecurityConfigurerAdapter {  @Autowired private SpringDataJpaUserDetailsService userDetailsService;  @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception {     auth         .userDetailsService(this.userDetailsService)             .passwordEncoder(User.PASSWORD_ENCODER); }  @Override protected void configure(HttpSecurity http) throws Exception {     http         .authorizeRequests()             .antMatchers("/built/**", "/main.css").permitAll()             .anyRequest().authenticated()             .and()         .formLogin()             .defaultSuccessUrl("/", true)             .permitAll()             .and()         .httpBasic()             .and()         .csrf().disable()         .logout()             .logoutSuccessUrl("/"); }  } 
like image 40
Paul Lungu Avatar answered Sep 26 '22 06:09

Paul Lungu