Spring Security multiple filterchains with request matchers that overlap does not work properly

Summary

I am using Spring boot security and I have a set up with multiple filterchains. I have prioritized these filterchains using @order annotation. the last filter chain matches all request. the second filterchains has a request matcher for /oauth/authorize. when I send a request for this path the second filterchain is bypassed and the third filterchain gets executed.

Actual Behavior

I am using Spring boot security and I am configuring two filterchains by creating two classes extending WebSecurityConfigurerAdapter. there is another filterchain created by spring boot because of activating oauth authorization server. this default filterchain has the highest priority and matches 3 endpoints(/oauth/token, /oauth/token_key, /oauth/token_check).one of the filterchains I created only matches GET request on /oauth/authorize and /mclogin (custom login page for this filterchain). the other filterchains I created matches any request and has the lowest precedence.

when I send a GET request to /oauth/authorize the third filterchain gets executed and I am redirected to /login instead of /mclogin. after I login at /login I am redirected to /mclogin.

Expected Behavior

the expected behavior would be that the request be handled by the second filterchain and I be redirect to /mclogin

but if I change the last filterchain so that it does not overlap with second filterchain, there would be no problem. I would be redirected to /mclogin as expected.

Configuration

Version

I'm using: java 1.8 spring boot 2.2.0.RELEASE spring-security-oauth2 spring-security-oauth2-autoconfigure

Sample

this is the code for second filterchain:

@Order(1)
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MobileConnectSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // TODO Auto-generated method stub

        http
        .csrf().disable()
        .requestMatchers()
            .antMatchers(HttpMethod.GET, "/oauth/authorize")
            .antMatchers("/mclogout")
        .and()
        .authorizeRequests()
            .antMatchers("/mclogin**").permitAll()
            .anyRequest()
            .authenticated()
        .and()
        .formLogin()
            .loginPage("/mclogin")
            .and()
            .logout()
            .logoutUrl("/mclogout")
            .clearAuthentication(true)
            .invalidateHttpSession(true)
            .deleteCookies("JSESSIONID","remember-me")
            .logoutSuccessUrl("/mclogin")
        ;
        }
}

this is the code for third filterchain:

@Configuration
@Order(2)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // TODO Auto-generated method stub

        http
        .csrf().disable()
        .authorizeRequests()
                .antMatchers("/", "/login**", "/webjars/**", "/css/**", "/js/**", "/auth123",
                        /* "/home", */"/waiting/**").permitAll()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        ;
        }
}

this is the filterchians at runtime:

filterChains ArrayList (id=201)

[0] DefaultSecurityFilterChain (id=231)
filters ArrayList (id=237)
requestMatcher OrRequestMatcher (id=238)
logger LogAdapter$Slf4jLocationAwareLog (id=244)
requestMatchers ArrayList (id=245)
[0] AntPathRequestMatcher (id=249) caseSensitive true
httpMethod null
matcher AntPathRequestMatcher$SpringAntMatcher (id=256)
pattern "/oauth/token" (id=259) urlPathHelper null
[1] AntPathRequestMatcher (id=250) caseSensitive true
httpMethod null
matcher AntPathRequestMatcher$SpringAntMatcher (id=264)
pattern "/oauth/token_key" (id=265) urlPathHelper null
[2] AntPathRequestMatcher (id=251) caseSensitive true
httpMethod null
matcher AntPathRequestMatcher$SpringAntMatcher (id=273)
pattern "/oauth/check_token" (id=274)
urlPathHelper null

[1] DefaultSecurityFilterChain (id=232)
filters ArrayList (id=275)
requestMatcher OrRequestMatcher (id=276)
logger LogAdapter$Slf4jLocationAwareLog (id=278)
requestMatchers ArrayList (id=279)
[0] AntPathRequestMatcher (id=283) caseSensitive true
httpMethod HttpMethod (id=287)
matcher AntPathRequestMatcher$SpringAntMatcher (id=290)
pattern "/oauth/authorize" (id=291) urlPathHelper null
[1] AntPathRequestMatcher (id=284) caseSensitive true
httpMethod null
matcher AntPathRequestMatcher$SpringAntMatcher (id=293)
pattern "/mclogout" (id=296)
urlPathHelper null

[2] DefaultSecurityFilterChain (id=233)
filters ArrayList (id=299)
requestMatcher AnyRequestMatcher (id=300)

Comment From: rwinch

Thanks for the report. This will redirect to /mclogin but when /mclogin is requested it will go to the last SecurityFilterChain which requires authentication for /mclogin. That means it will then be redirected to /login afterwards.

You likely want to add /mclogin to the URLs that are handled by MobileConnectSecurityConfig.

If you have additional issues, please post questions to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.