spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Allow for WebSecurityConfigurerAdapter and SecurityFilterChain to co-exist

Open dreis2211 opened this issue 3 years ago • 1 comments

Expected Behavior

Both WebSecurityConfigurerAdapter and SecurityFilterChain can co-exist to ease migration from the former to the latter.

Current Behavior

Exception is thrown:

Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.

Context

Hi,

I've recently upgraded an application from Spring-Boot 2.5 to 2.7. The application consists of every several (externally maintained) modules being pulled in. Each of those modules provide their own WebSecurityConfigurerAdapter to protect their provided endpoints next to one that is directly inside the application and protects the defined endpoints of the application. It would have been great to provide a path for the application to switch to SecurityFilterChain already while the modules can migrate to it over time at their own pace. For now I'm stuck with WebSecurityConfigurerAdapter because of that

Also: Is it actually considered that multiple SecurityFilterChain/WebSecurityConfigurerAdapter classes might be defined originating from different modules/libraries?

Cheers, Christoph

dreis2211 avatar Aug 05 '22 17:08 dreis2211

Hi, @dreis2211, thanks for the explanation.

The concern with allowing both in the same application is that of ordering. Spring Security cannot reason about how to weave the list of WebSecurityConfigurerAdapter beans together with the list of SecurityFilterChain beans predictably. At best, we can say that all the WSCAs go first and all the SFCs go next. Such behavior may be confusing when it comes to using externally-maintained components that are built around an expectation of where their filters are registered relative to others in the same application.

I'll consult with the team on this one and get back to you. Perhaps at a minimum, there is a flag that can be added that allows applications to assume the inherent risks.

In the meantime, I would agree that your process is correct -- you cannot publish SecurityFilterChains until all WebSecurityConfigurerAdapters have been migrated. This is why WebSecurityConfigurerAdapter will remain in the codebase for some time yet.

jzheaux avatar Aug 16 '22 22:08 jzheaux

The team decided to remove WebSecurityConfigurerAdapter in 6.0, so this ticket is now no longer relevant.

jzheaux avatar Jan 09 '23 16:01 jzheaux