WebSecurityConfigurer @Order(100) is broken when Actuator is also present #103

dmfrey · 2020-08-28T15:26:38Z

Describe the bug
Implementing the Authorization Server and including the Actuator dependency throws an exception on startup because the order of the WebSecurityConfigurerAdapters is duplicated between OAuth2AuthorizationServerSecurity and ManagementWebSecurityConfigurerAdapter

To Reproduce
Create a minimal Spring Cloud Authorization Server with the following dependencies:

	// Spring Boot dependencies
	implementation 'org.springframework.boot:spring-boot-starter-actuator'
	implementation 'org.springframework.boot:spring-boot-starter-web'

	// Spring Authorization Server dependencies (experimental)
	implementation 'org.springframework.security.experimental:spring-security-oauth2-authorization-server:0.0.1'

Expected behavior
Each WebSecurityConfigurerAdapter should provide an appropriate @Order so as to not conflict with one another.

Sample

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Injection of autowired dependencies failed; nested exception is java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used on org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerSecurity@217bf99e, so it cannot be used on org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityConfigurerAdapter@6807a356 too.
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:405) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1420) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:593) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:516) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:324) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:226) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:322) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:897) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:879) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:551) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at io.pivotal.pivmartauthserver.AuthorizationServerApplication.main(AuthorizationServerApplication.java:10) ~[main/:na]
Caused by: java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used on org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerSecurity@217bf99e, so it cannot be used on org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityConfigurerAdapter@6807a356 too.
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.setFilterChainProxySecurityConfigurer(WebSecurityConfiguration.java:147) ~[spring-security-config-5.3.4.RELEASE.jar:5.3.4.RELEASE]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:755) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:130) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:399) ~[spring-beans-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	... 18 common frames omitted

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

The text was updated successfully, but these errors were encountered:

dmfrey · 2020-08-28T15:29:30Z

Workaround: Removing Actuator dependency for the time being temporarily eliminates the issue.

jgrandja · 2020-09-03T10:09:33Z

Thanks for the report @dmfrey. The fix is now in master.

Closes spring-projectsgh-103

dmfrey added the type: bug A general bug label Aug 28, 2020

jgrandja added this to the 0.0.2 milestone Sep 2, 2020

jgrandja self-assigned this Sep 3, 2020

jgrandja closed this as completed in 5a03056 Sep 3, 2020

mohammedBalhaddad pushed a commit to mohammedBalhaddad/spring-authorization-server that referenced this issue Oct 12, 2020

Order highest precedence for OAuth2AuthorizationServerSecurity

0f29d11

Closes spring-projectsgh-103

doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023

Order highest precedence for OAuth2AuthorizationServerSecurity

63da692

Closes spring-projectsgh-103

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WebSecurityConfigurer @Order(100) is broken when Actuator is also present #103

WebSecurityConfigurer @Order(100) is broken when Actuator is also present #103

dmfrey commented Aug 28, 2020

dmfrey commented Aug 28, 2020

jgrandja commented Sep 3, 2020

WebSecurityConfigurer @Order(100) is broken when Actuator is also present #103

WebSecurityConfigurer @Order(100) is broken when Actuator is also present #103

Comments

dmfrey commented Aug 28, 2020

dmfrey commented Aug 28, 2020

jgrandja commented Sep 3, 2020