@Order (SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security

Question

@Order (SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security

Question1: In Spring Security, what exactly is a function

@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)

Spring Documentation Points below, but I'm not sure I understand this clearly.

To override access rules without changing any other auto-configured functions, add an @ Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) .

Streamlining the various security features in Spring Security is lower, as I understand it (LowestValue ie Highest priority to highest, i.e. lowest priority)

Ordered.HIGHEST_PRECEDENCE = -2 ^ 31-1
WebSecurityConfigurerAdapter = 100 (based on @Order (100) mentioned in Docs)
- Access_Override_Order = Basic_Auth_Order -2 for security properties
- Access_Override_Order = Basic_Auth_Order -1 for ManagementServerProperties Basic_Auth_Order-2 = 2 ^ 31-7
Basic_Auth_Order = Ordered.Lowest_Precendence -5 = 2^31-5
Ordered.LOWEST_PRECEDENCE = 2^31

Question2 Based on the ordering of the various security features above, if I want to override the default rules for management endpoints and the rest of the application, should I use

SecurityPropertiesACCESS_OVERRIDE_ORDER or
ManagementServerProperties ACCESS_OVERRIDE_ORDER?

I am currently using SecurityProperties ACCESS_OVERRIDE_ORDER , but based on the suggestion here , to get ACTUATOR to work, I need to enable ManagementServerProperties ACCESS_OVERRIDE_ORDER . Which should I override if I want both to work?

Thanks.

+5

java spring spring-mvc spring-security spring-boot-actuator

HopeKing Aug 6 '17 at 7:40

source share

1 answer

Sanghyun lee · Accepted Answer · 2017-08-13T20:56:35+0000

Q1. Question 1. In Spring security, what exactly does the `@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` annotation `@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` do?

What he does is well explained in the documentation you quote.

To override access rules without changing any other auto-configured functions, add an @ Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) .

But then WebSecurityConfigurerAdapter , which has @Order(100) , has a higher priority.

No.

You must be careful with this part of the autoconfigured features . Using @EnableAutoConfiguration , which is part of @SpringBootApplication , many things are automatically configured, and 100 not an automatically configured value, but a hard-coded value of the WebSecurityConfigurerAdapter class.

You can find the order values used for automatic tuning for Spring Security in the SecurityProperties class, and you can find out that the ACCESS_OVERRIDE_ORDER value is the lowest, which means that it takes the highest priority.

Where are they automatically configured?

You may find that @Order(SecurityProperties.BASIC_AUTH_ORDER) used in the SpringBootWebSecurityConfiguration class.

Then when is the @Order(100) of WebSecurityConfigurerAdapter annotation used?

For example, if you turn off automatic configuration by adding @EnableWebSecurity , the value will be used. Since a value of 100 takes too high a priority, it would be better to place the @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) in your custom class in this case.

Q2. Based on the ordering of the various security features above, if I want to override the default rules for management endpoints and the rest of the application, what should I use

Use ManagementServerProperties ACCESS_OVERRIDE_ORDER .

A higher priority is required, so you should use it if you want to override the default rules for all endpoints. You can see how the values are set if you open the ManagementServerProperties class.

In SecurityProperties

 int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39 int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41

In ManagementServerProperties

 int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36 int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35

In the comment 39 means 21474839 , I skipped the first 6 digits for readability.

@Order (SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security

Q1. Question 1. In Spring security, what exactly does the @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) do?

Q2. Based on the ordering of the various security features above, if I want to override the default rules for management endpoints and the rest of the application, what should I use

More articles:

Q1. Question 1. In Spring security, what exactly does the `@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` annotation `@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` do?