From 263665ad55cedf1c97e306db026bada0192450d3 Mon Sep 17 00:00:00 2001
From: Marcus Da Coregio <marcusdacoregio@gmail.com>
Date: Thu, 2 Dec 2021 15:58:09 -0300
Subject: [PATCH] Prevent using both authorizeRequests and
 authorizeHttpRequests

Closes gh-10573
---
 .../annotation/web/builders/HttpSecurity.java |  7 +++
 .../HttpSecurityConfigurationTests.java       | 58 +++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
index 0c0663cc96..7f04681042 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -2889,8 +2889,15 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 		}
 	}
 
+	@SuppressWarnings("unchecked")
 	@Override
 	protected DefaultSecurityFilterChain performBuild() {
+		ExpressionUrlAuthorizationConfigurer<?> expressionConfigurer = getConfigurer(
+				ExpressionUrlAuthorizationConfigurer.class);
+		AuthorizeHttpRequestsConfigurer<?> httpConfigurer = getConfigurer(AuthorizeHttpRequestsConfigurer.class);
+		boolean oneConfigurerPresent = expressionConfigurer == null ^ httpConfigurer == null;
+		Assert.state((expressionConfigurer == null && httpConfigurer == null) || oneConfigurerPresent,
+				"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
 		this.filters.sort(OrderComparator.INSTANCE);
 		List<Filter> sortedFilters = new ArrayList<>(this.filters.size());
 		for (Filter filter : this.filters) {
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
index 2158b06cb8..d6d00d7f4c 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
@@ -24,6 +24,7 @@ import com.google.common.net.HttpHeaders;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
+import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -47,6 +48,7 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@@ -200,6 +202,24 @@ public class HttpSecurityConfigurationTests {
 		this.mockMvc.perform(get("/login?logout")).andExpect(status().isOk());
 	}
 
+	@Test
+	public void configureWhenAuthorizeHttpRequestsBeforeAuthorizeRequestThenException() {
+		assertThatExceptionOfType(BeanCreationException.class)
+				.isThrownBy(
+						() -> this.spring.register(AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig.class).autowire())
+				.withMessageContaining(
+						"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
+	}
+
+	@Test
+	public void configureWhenAuthorizeHttpRequestsAfterAuthorizeRequestThenException() {
+		assertThatExceptionOfType(BeanCreationException.class)
+				.isThrownBy(
+						() -> this.spring.register(AuthorizeHttpRequestsAfterAuthorizeRequestsConfig.class).autowire())
+				.withMessageContaining(
+						"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
+	}
+
 	@RestController
 	static class NameController {
 
@@ -270,6 +290,44 @@ public class HttpSecurityConfigurationTests {
 
 	}
 
+	@EnableWebSecurity
+	static class AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig {
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			return http
+					.authorizeHttpRequests((requests) -> requests
+							.anyRequest().authenticated()
+					)
+					.authorizeRequests((requests) -> requests
+							.anyRequest().authenticated()
+					)
+					.build();
+			// @formatter:on
+		}
+
+	}
+
+	@EnableWebSecurity
+	static class AuthorizeHttpRequestsAfterAuthorizeRequestsConfig {
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			return http
+					.authorizeRequests((requests) -> requests
+							.anyRequest().authenticated()
+					)
+					.authorizeHttpRequests((requests) -> requests
+							.anyRequest().authenticated()
+					)
+					.build();
+			// @formatter:on
+		}
+
+	}
+
 	@RestController
 	static class BaseController {