I've tried to register multiple filters in my Spring Security Configuration, however I always get the same exception:
04-Nov-2015 14:35:23.792 WARNING [RMI TCP Connection(3)-127.0.0.1] org.springframework.web.context.support.AnnotationConfigWebApplicationContext.refresh Exception encountered during context initialization - cancelling refresh attempt org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Injection of autowired dependencies failed; nested exception is java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used, so it cannot be used on com.payment21.webapp.MultiHttpSecurityConfig$ApiWebSecurityConfigurationAdapter$$EnhancerBySpringCGLIB$$35c79fe4@1d381684 too.
Since my own attempts didn't work, I tried the exact same code as shown in the Spring Security reference:
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }
To isolate the error I tried to replace the web.xml by a Java based approach, but it didn't work either. I have no idea what's wrong, is the doc wrong? Can something in my application mess with the configuation? System is starting up properly, unless I register a second WebSecurityConfigAdapter.
Those are my dependencies:
compile 'org.springframework:spring-webmvc:4.2.2.RELEASE' compile 'org.springframework:spring-messaging:4.2.2.RELEASE' compile 'org.springframework:spring-websocket:4.2.2.RELEASE' compile 'org.springframework:spring-aop:4.2.2.RELEASE' compile'javax.servlet:javax.servlet-api:3.0.1' compile 'org.springframework.security:spring-security-web:4.0.3.RELEASE' compile 'org.springframework.security:spring-security-config:4.0.3.RELEASE'
The @Order annotation defines the sorting order of an annotated component or bean. It has an optional value argument which determines the order of the component; the default value is Ordered. LOWEST_PRECEDENCE. This marks that the component has the lowest priority among all other ordered components.
@Order defines the sort order for an annotated component. The value() is optional and represents an order value as defined in the Ordered interface. Lower values have higher priority. The default value is Ordered. LOWEST_PRECEDENCE , indicating the lowest priority (losing to any other specified order value).
From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.
Since this is an exception handling, we are using the Spring security . excepTionHandling() method and telling that we like to handle the access denied use case by passing custom access denied handler to the accessDeniedHandler() method ( . exceptionHandling(). accessDeniedHandler(accessDeniedHandler() ).
Maybe you have annotated another class with the @EnableWebSecurity annotation. Be aware that only one class can implement this annotation. Hope that will help!
It may be worth noting, the @Order annotation should be at the class level. This is a bit confusing since @Journeycorner configuration is a multiclass example. My example with imports :)
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import com.someco.entity.User; import com.someco.service.SpringDataJpaUserDetailsService; @Configuration("CustomSecurityConfig") @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(1000) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private SpringDataJpaUserDetailsService userDetailsService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .userDetailsService(this.userDetailsService) .passwordEncoder(User.PASSWORD_ENCODER); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/built/**", "/main.css").permitAll() .anyRequest().authenticated() .and() .formLogin() .defaultSuccessUrl("/", true) .permitAll() .and() .httpBasic() .and() .csrf().disable() .logout() .logoutSuccessUrl("/"); } }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With