If you're using Spring Boot having a version after 1.2.0.RC1,
you can do it easily by setting the order of your filter any value above 0
because the order of the Spring Security Filter in Spring Boot is 0 by default.
But if you're using Spring boot having a version before 1.2.0.RC1,
you should register your own Spring Security filter
because the order of Spring Security Filter is Ordered.LOWEST_PRECEDENCE.
To use Spring Boot's Spring Security,
DO NOT use the following annotations:
@EnableWebSecurity
@EnableWebMvcSecurity
If you use either one,
SpringBootWebSecurityConfiguration is disabled as follows:
SpringBootWebSecurityConfiguration
- @ConditionalOnClass classes found: org.springframework.security.config.annotation.web.configuration.EnableWebSecurity (OnClassCondition)
- found web application StandardServletEnvironment (OnWebApplicationCondition)
- @ConditionalOnMissingBean (types: org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration; SearchStrategy: all) found the following [org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration] (OnBeanCondition)
and WebSecurityConfiguration is activated.
So the order of Spring Security Filter will be Ordered.LOWEST_PRECEDENCE.
References:
https://github.com/spring-projects/spring-boot/issues/677
https://github.com/spring-projects/spring-boot/issues/1640
https://jira.spring.io/browse/SEC-2730
http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#boot-features-security
No comments:
Post a Comment