Consider Order on SecurityFilterChain bean definitions

Closes gh-9154
2021-03-24 11:02:29 +02:00 · 2021-03-24 11:02:29 +02:00 · 0f3df3e714
parent f5fe64cd5b
commit 0f3df3e714
2 changed files with 56 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
@ -176,13 +176,11 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa

 	@Autowired(required = false)
 	void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
-		securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);
 		this.securityFilterChains = securityFilterChains;
 	}

 	@Autowired(required = false)
 	void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
-		webSecurityCustomizers.sort(AnnotationAwareOrderComparator.INSTANCE);
 		this.webSecurityCustomizers = webSecurityCustomizers;
 	}

--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
@ -19,8 +19,12 @@ package org.springframework.security.config.annotation.web.configuration;
 import java.io.Serializable;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.util.ArrayList;
 import java.util.List;

+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletRequest;
+
 import org.junit.Rule;
 import org.junit.Test;

@ -131,6 +135,19 @@ public class WebSecurityConfigurationTests {
 		assertThat(filterChains.get(3).matches(request)).isTrue();
 	}

+	@Test
+	public void loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered() {
+		this.spring.register(OrderOnBeanDefinitionsSecurityFilterChainConfig.class).autowire();
+		FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
+		List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
+		assertThat(filterChains).hasSize(2);
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
+		request.setServletPath("/role1/**");
+		assertThat(filterChains.get(0).matches(request)).isTrue();
+		request.setServletPath("/role2/**");
+		assertThat(filterChains.get(1).matches(request)).isTrue();
+	}
+
 	@Test
 	public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() {
 		assertThatExceptionOfType(BeanCreationException.class)
@ -487,6 +504,45 @@ public class WebSecurityConfigurationTests {

 	}

+	@EnableWebSecurity
+	@Import(AuthenticationTestConfiguration.class)
+	static class OrderOnBeanDefinitionsSecurityFilterChainConfig {
+
+		@Bean
+		@Order(1)
+		SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
+			// @formatter:off
+			return http
+					.antMatcher("/role1/**")
+					.authorizeRequests((authorize) -> authorize
+							.anyRequest().hasRole("1")
+					)
+					.build();
+			// @formatter:on
+		}
+
+		@Bean
+		TestSecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
+			return new TestSecurityFilterChain();
+		}
+
+		@Order(2)
+		static class TestSecurityFilterChain implements SecurityFilterChain {
+
+			@Override
+			public boolean matches(HttpServletRequest request) {
+				return true;
+			}
+
+			@Override
+			public List<Filter> getFilters() {
+				return new ArrayList<>();
+			}
+
+		}
+
+	}
+
 	@EnableWebSecurity
 	@Import(AuthenticationTestConfiguration.class)
 	static class DuplicateOrderConfig {