Spring Security Order on WebSecurityConfigurerAdapter broken between SS 4.0.3 and SS 4.2.9

Summary

After upgrading to SS 4.2.9 from SS 4.0.3 filters order has changed.

We use many prefabricated WebSecurityConfigurerAdapter like

@Configuration
public abstract class IgnoreSecurityConfiguration extends WebSecurityConfigurerAdapter {

    protected abstract String getPattern();

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(getPattern());
    }

and

@Configuration
public abstract class RestApiSecurityConfiguration extends WebSecurityConfigurerAdapter {

    protected abstract String getPattern();

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        .....
        http.antMatcher(getPattern());
    }
}

In application module there is configuration like this:

@Configuration
public class UsnSecurity {

    @Configuration
    @Order(41)
    public static class UkolyApiSecurity extends RestApiSecurityConfiguration {
        protected String getPattern() {
            return "/api/ukoly/**";
        }
    }

    @Configuration
    @Order(43)
    public static class PublicApiSecurity extends IgnoreSecurityConfiguration {
        protected String getPattern() {
            return "/api/**";
        }
    }
}

Actual Behavior

In SS 4.0.3 this works perfect - in filter chain there is first RestApi entry and after that is Ignore filters entry. But in SS 4.2.9 - first entry in filter chain is always "/api/" with no filters and after is "/api/ukoly/"

After debug I find out that entry from web.ignoring().antMatchers(getPattern()) is always before other filters. Ignoring Order.

Comment From: rwinch

Thanks for the report @cesnek! If you'd like us to spend some time investigating, please take the time to provide a complete minimal sample (something that we can unzip or git clone, build, and deploy) that reproduces the problem.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.