SpringBoot 1.5.x + Security + OAuth2

The answer for your first and second question is at Spring Boot 1.5 Release Notes:

OAuth 2 Resource Filter

The default order of the OAuth2 resource filter has changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1. This places it after the actuator endpoints but before the basic authentication filter chain. The default can be restored by setting security.oauth2.resource.filter-order = 3

The /login page is just a path that spring redirects unauthorized users. Since you are not using a Custom Login Form and your Oauth2 filter was in a wrong position, probably was using a Basic Auth.


Ok, I got it now.

@Cleto Gadelha pointed me very usefull info.

However I think release note is pretty unclear or miss some information. Beside that OAuth2 resource filter is changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1, crucial information is that default WebSecurityConfigurerAdapter order is 100 (source).

So, before release 1.5.x OAuth2 resource server order was 3 which had higher priority then WebSecurityConfigurerAdapter.

After release 1.5.x OAuth2 resource server order is set to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1 (it is Integer.MAX_VALUE - 8 I think) which has now definitely lower priority then basic WebSecurityConfigurerAdapter order.

That's why login page appears for me after migrate from 1.4.x to 1.5.x

So, more elegant and java-like style solution is to set @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) on WebSecurityConfigurerAdapter class