SpringBoot 1.5.x + Security + OAuth2
The answer for your first and second question is at Spring Boot 1.5 Release Notes:
OAuth 2 Resource Filter
The default order of the OAuth2 resource filter has changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1. This places it after the actuator endpoints but before the basic authentication filter chain. The default can be restored by setting security.oauth2.resource.filter-order = 3
The /login page is just a path that spring redirects unauthorized users. Since you are not using a Custom Login Form and your Oauth2 filter was in a wrong position, probably was using a Basic Auth.
Ok, I got it now.
@Cleto Gadelha pointed me very usefull info.
However I think release note is pretty unclear or miss some information. Beside that OAuth2 resource filter is changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1
, crucial information is that default WebSecurityConfigurerAdapter
order is 100 (source).
So, before release 1.5.x OAuth2 resource server order was 3 which had higher priority then WebSecurityConfigurerAdapter
.
After release 1.5.x OAuth2 resource server order is set to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1
(it is Integer.MAX_VALUE - 8
I think) which has now definitely lower priority then basic WebSecurityConfigurerAdapter
order.
That's why login page appears for me after migrate from 1.4.x to 1.5.x
So, more elegant and java-like style solution is to set @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
on WebSecurityConfigurerAdapter
class