Consider Order on SecurityFilterChain bean definitions

Closes gh-9154

Author: eleftherias

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -176,13 +176,11 @@ public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor<Object> ob
 
 	@Autowired(required = false)
 	void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
-		securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);
 		this.securityFilterChains = securityFilterChains;
 	}
 
 	@Autowired(required = false)
 	void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
-		webSecurityCustomizers.sort(AnnotationAwareOrderComparator.INSTANCE);
 		this.webSecurityCustomizers = webSecurityCustomizers;
 	}
 

config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java

@@ -19,8 +19,12 @@
 import java.io.Serializable;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.util.ArrayList;
 import java.util.List;
 
+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletRequest;
+
 import org.junit.Rule;
 import org.junit.Test;
 
@@ -131,6 +135,19 @@ public void loadConfigWhenSecurityFilterChainsHaveOrderThenFilterChainsOrdered()
 		assertThat(filterChains.get(3).matches(request)).isTrue();
 	}
 
+	@Test
+	public void loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered() {
+		this.spring.register(OrderOnBeanDefinitionsSecurityFilterChainConfig.class).autowire();
+		FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
+		List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
+		assertThat(filterChains).hasSize(2);
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
+		request.setServletPath("/role1/**");
+		assertThat(filterChains.get(0).matches(request)).isTrue();
+		request.setServletPath("/role2/**");
+		assertThat(filterChains.get(1).matches(request)).isTrue();
+	}
+
 	@Test
 	public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() {
 		assertThatExceptionOfType(BeanCreationException.class)
@@ -472,6 +489,45 @@ SecurityFilterChain filterChain4(HttpSecurity http) throws Exception {
 
 	}
 
+	@EnableWebSecurity
+	@Import(AuthenticationTestConfiguration.class)
+	static class OrderOnBeanDefinitionsSecurityFilterChainConfig {
+
+		@Bean
+		@Order(1)
+		SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
+			// @formatter:off
+			return http
+					.antMatcher("/role1/**")
+					.authorizeRequests((authorize) -> authorize
+							.anyRequest().hasRole("1")
+					)
+					.build();
+			// @formatter:on
+		}
+
+		@Bean
+		TestSecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
+			return new TestSecurityFilterChain();
+		}
+
+		@Order(2)
+		static class TestSecurityFilterChain implements SecurityFilterChain {
+
+			@Override
+			public boolean matches(HttpServletRequest request) {
+				return true;
+			}
+
+			@Override
+			public List<Filter> getFilters() {
+				return new ArrayList<>();
+			}
+
+		}
+
+	}
+
 	@EnableWebSecurity
 	@Import(AuthenticationTestConfiguration.class)
 	static class DuplicateOrderConfig {