@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security
SecurityProperties no longer defines the ACCESS_OVERRIDE_ORDER constant for the @Order annotation. However, Spring Boot no longer defines any security details if the application does, so we do not need the @Order annotation on the security @Configuration class and can be removed.
Q1. Question1: In Spring Security, what exactly does the annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
do?
What it does is well explained in the documentation you quoted.
To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
.
But then WebSecurityConfigurerAdapter
, which has @Order(100)
, takes higher priority.
No.
You should be careful about this part autoconfigured features
. Using @EnableAutoConfiguration
which is a part of @SpringBootApplication
, a lot of things are auto-configured and 100
is not a auto-configured value but a hard-coded value on the WebSecurityConfigurerAdapter
class.
You can find order values used for auto-configuring for Spring Security in SecurityProperties
class and you can find out that the value of ACCESS_OVERRIDE_ORDER
is the lowest which means it takes the highest priority.
Where are they auto-confitured?
You can find that @Order(SecurityProperties.BASIC_AUTH_ORDER)
is used in SpringBootWebSecurityConfiguration
class.
Then when is the annotation @Order(100)
of WebSecurityConfigurerAdapter
used?
For example, if you disable the auto-configuring by adding @EnableWebSecurity
, the value would be used. As the value 100
takes too high priority, it'd be better to put @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
annotation in your custom class in the case.
Q2. Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, what should I use
Use ManagementServerProperties ACCESS_OVERRIDE_ORDER
.
It takes higher priority so you must use it if you want to override default rules for all end points. You can see how the values are set if you open the ManagementServerProperties
class.
In SecurityProperties
int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39
int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41
In ManagementServerProperties
int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36
int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35
In the comment, 39
means 21474839
, I've omitted the first 6 digits for readability.