From e7ee70384dfbf19d5839f9a45c7ad547fa10b0e4 Mon Sep 17 00:00:00 2001
From: Eleftheria Stein <estein@vmware.com>
Date: Wed, 24 Mar 2021 11:02:29 +0200
Subject: [PATCH] Consider Order on SecurityFilterChain bean definitions

Closes gh-9154
---
 .../WebSecurityConfiguration.java             |  2 -
 .../WebSecurityConfigurationTests.java        | 56 +++++++++++++++++++
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
index e49c99e002..f9a4a2d8f4 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
@@ -176,13 +176,11 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 
 	@Autowired(required = false)
 	void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
-		securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);
 		this.securityFilterChains = securityFilterChains;
 	}
 
 	@Autowired(required = false)
 	void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
-		webSecurityCustomizers.sort(AnnotationAwareOrderComparator.INSTANCE);
 		this.webSecurityCustomizers = webSecurityCustomizers;
 	}
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
index 041d36b484..7f527fe7f6 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
@@ -19,8 +19,12 @@ package org.springframework.security.config.annotation.web.configuration;
 import java.io.Serializable;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.util.ArrayList;
 import java.util.List;
 
+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletRequest;
+
 import org.junit.Rule;
 import org.junit.Test;
 
@@ -131,6 +135,19 @@ public class WebSecurityConfigurationTests {
 		assertThat(filterChains.get(3).matches(request)).isTrue();
 	}
 
+	@Test
+	public void loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered() {
+		this.spring.register(OrderOnBeanDefinitionsSecurityFilterChainConfig.class).autowire();
+		FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
+		List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
+		assertThat(filterChains).hasSize(2);
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
+		request.setServletPath("/role1/**");
+		assertThat(filterChains.get(0).matches(request)).isTrue();
+		request.setServletPath("/role2/**");
+		assertThat(filterChains.get(1).matches(request)).isTrue();
+	}
+
 	@Test
 	public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() {
 		assertThatExceptionOfType(BeanCreationException.class)
@@ -472,6 +489,45 @@ public class WebSecurityConfigurationTests {
 
 	}
 
+	@EnableWebSecurity
+	@Import(AuthenticationTestConfiguration.class)
+	static class OrderOnBeanDefinitionsSecurityFilterChainConfig {
+
+		@Bean
+		@Order(1)
+		SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
+			// @formatter:off
+			return http
+					.antMatcher("/role1/**")
+					.authorizeRequests((authorize) -> authorize
+							.anyRequest().hasRole("1")
+					)
+					.build();
+			// @formatter:on
+		}
+
+		@Bean
+		TestSecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
+			return new TestSecurityFilterChain();
+		}
+
+		@Order(2)
+		static class TestSecurityFilterChain implements SecurityFilterChain {
+
+			@Override
+			public boolean matches(HttpServletRequest request) {
+				return true;
+			}
+
+			@Override
+			public List<Filter> getFilters() {
+				return new ArrayList<>();
+			}
+
+		}
+
+	}
+
 	@EnableWebSecurity
 	@Import(AuthenticationTestConfiguration.class)
 	static class DuplicateOrderConfig {