@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security
Question1: In Spring Security, what exactly is the function
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
Spring Documentation States the below, but I am not sure I understand it clearly
To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).
The ordering of various security features in Spring Security are as below as per my understanding (LowestValue i.e. Highest Precedence to Highest Value i.e. Lowest Precedence)
Ordered.HIGHEST_PRECEDENCE= -2^31-1- WebSecurityConfigurerAdapter = 100 (Based on @Order(100) mentioned in Docs)
Access_Override_Order = Basic_Auth_Order -2for Security PropertiesAccess_Override_Order = Basic_Auth_Order -1for ManagementServerPropertiesBasic_Auth_Order-2= 2^31-7
Basic_Auth_Order = Ordered.Lowest_Precendence -5 = 2^31-5Ordered.LOWEST_PRECEDENCE = 2^31
Question2 Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, should I use
- SecurityPropertiesACCESS_OVERRIDE_ORDER or
- ManagementServerProperties ACCESS_OVERRIDE_ORDER ?
I am currently using SecurityProperties ACCESS_OVERRIDE_ORDER but based on the suggestion here to get ACTUATOR working I need to enable ManagementServerProperties ACCESS_OVERRIDE_ORDER. Which one should I override if I want both working ?
Thanks.
Answer
SecurityProperties no longer defines the ACCESS_OVERRIDE_ORDER constant for the @Order annotation. However, Spring Boot no longer defines any security details if the application does, so we do not need the @Order annotation on the security @Configuration class and can be removed.