Skip to content

@Order annotations cannot be used with @Bean methods #9154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philwebb opened this issue Oct 27, 2020 · 4 comments
Closed

@Order annotations cannot be used with @Bean methods #9154

philwebb opened this issue Oct 27, 2020 · 4 comments
Assignees
@eleftherias
Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.5.0-RC1

Comments

@philwebb
Copy link
Member

Whilst looking at spring-projects/spring-boot#23421 I noticed a few of our migrations use the @Order annotation on beans.

A common pattern would be:

@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
SecurityFilterChain configure(HttpSecurity http) throws Exception {
	http.requestMatcher(new AntPathRequestMatcher(this.url)).authorizeRequests().anyRequest().anonymous().and()
			.csrf().disable();
	return http.build();
}

and

@Bean
@Order(SecurityProperties.IGNORED_ORDER)
IgnoredCloudFoundryPathsWebSecurityCustomizer ignoreCloudFoundryPathsWebSecurityCustomizer() {
	return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/cloudfoundryapplication/**"));
}

I'm not convinced that these @Order annotations are working in these locations (or perhaps they're not supposed to be used that way).

Looking at the code, I think WebSecurityConfiguration.setWebSecurityCustomizers and WebSecurityConfiguration.setFilterChains are responsible for managing the beans and they sort items directly. I'm pretty sure that this doesn't consider any annotations on the @Bean method.

I think that using ObjectProvider.orderedStream() might be a better choice since it will wire up a FactoryAwareOrderSourceProvider OrderComparator.OrderSourceProvider
@philwebb philwebb added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug and removed type: bug A general bug labels Oct 27, 2020
@eleftherias eleftherias self-assigned this Oct 27, 2020
@jzheaux jzheaux added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 28, 2020
eleftherias added a commit that referenced this issue Nov 2, 2020
@eleftherias
Add test for ordered WebSecurityCustomizers
5c8972b 
Issue gh-9154
@eleftherias
Copy link
Contributor

@philwebb We had an existing test checking the order on SecurityFilterChain and I just added an additional one for WebSecurityCustomizer.
As far as I can tell, the @Order annotation is working.
Do you have an example configuration where they aren't being ordered correctly?

@philwebb
Copy link
Member Author

philwebb commented Nov 2, 2020

@eleftherias I'm afraid not, it was just an observation from looking at the code. I may well have got it wrong. Perhaps Spring is injecting the list already sorted and re-sorting it doesn't cause a side-effect. I'll close this one since the tests seem to prove it's working.

@philwebb philwebb closed this as completed Nov 2, 2020
@mbhave
Copy link
Contributor

mbhave commented Feb 11, 2021

@eleftherias Here is an example where Spring Security's sort will flip the order that Spring Framework injected them in:

@Bean
@Order(1)
SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
	//something
	return http.build();
}

@Bean
TestSecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
	return new TestSecurityFilterChain();
}

@Order(2)
static class TestSecurityFilterChain implements SecurityFilterChain {
	//implement methods
}

Spring Framework will inject securityFilterChain1, securityFilterChain2. Then Spring Security will sort them again using securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);. It sees @Order on TestSecurityFilterChain but nothing on securityFilterChain1 because it does not look at bean definitions. securityFilterChain2 will then end up before securityFilterChain1. I don't see a need for Spring Security to call securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE); and it seems like it could be dropped.

@jgrandja jgrandja mentioned this issue Feb 11, 2021
Closed
@eleftherias
Copy link
Contributor

Thanks for the sample @mbhave. I'm reopening the issue.

@eleftherias eleftherias reopened this Mar 23, 2021
@eleftherias eleftherias added the type: bug A general bug label Mar 24, 2021
@eleftherias eleftherias added this to the 5.5.0-RC1 milestone Mar 24, 2021
eleftherias added a commit that referenced this issue Mar 24, 2021
@eleftherias
Consider Order on SecurityFilterChain bean definitions
e7ee703 
Closes gh-9154
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Mar 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.5.0-RC1
Development

No branches or pull requests
5 participants
@philwebb @mbhave @jzheaux @eleftherias @spring-projects-issues