Spring Security Spring security update from 5.1.x to 5.2.x breaks security configuration

Summary

Updated spring security to version 5.2.2-RELEASE (starting point 5.1.5-RELEASE) and the build started failing with the same code.

After updating

Actual Behavior

Build breaks

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: Can't configure antMatchers after anyRequest
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:651)
        ... 21 common frames omitted
Caused by: java.lang.IllegalStateException: Can't configure antMatchers after anyRequest

Expected Behavior

Working code: I had basic authentication configure for endpoints after an anyMatcher and it was not ignored. Here goes an example of the code:

             http.cors().and().csrf().disable().authorizeRequests()
                    // Endpoints without Authentication
                    .antMatchers(HttpMethod.POST,ApiConfiguration.VERSION + "/xxx/yyy").permitAll()
           ->     .anyRequest().authenticated()
                    .and()
                    // Default filters
                    .addFilter(jwtAuthenticationFilter)
                    .addFilter(jwtAuthorizationFilter)
                    .headers()
                    .contentSecurityPolicy(DEFAULT_SRC_SELF)
                    .and()
                    .httpStrictTransportSecurity()
                    .includeSubDomains(true)
                    .maxAgeInSeconds(HSTS_MAX_AGE_IN_SECONDS)
                    .preload(true);

             // Basic Auth endpoints
             http.cors().and().csrf().disable().authorizeRequests()
                    // Swagger endpoints
                    .antMatchers(HttpMethod.GET, "/swagger-ui.html").authenticated()
                    .antMatchers(HttpMethod.GET, "/v2/api-docs").authenticated()
                    .antMatchers(HttpMethod.GET, "/configuration/ui").authenticated()
                    .antMatchers(HttpMethod.GET, "/configuration/security").authenticated()
                    .antMatchers(HttpMethod.GET, "/webjars/**").authenticated()
                    .and()
                    .httpBasic()
                    .and()
                    .headers()
                    .contentSecurityPolicy(DEFAULT_SRC_SELF)
                    .and()
                    .httpStrictTransportSecurity()
                    .includeSubDomains(true)
                    .maxAgeInSeconds(HSTS_MAX_AGE_IN_SECONDS)
                    .preload(true);

Build to pass

14:39:58.995 [main] INFO  o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8080"]
14:39:59.008 [main] INFO  o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8080 (http) with context path ''
14:39:59.010 [main] INFO  c.draughtmaster.core.CoreApplication - Started CoreApplication in 39.016 seconds (JVM running for 39.403)
<===========--> 87% EXECUTING [1m 11s]

Version

springBootVersion = '2.2.2.RELEASE' org.springframework.security:spring-security-config:5.2.2.RELEASE

Comment From: jzheaux

This issue appears to have been double-posted. Please see https://github.com/spring-projects/spring-security/issues/7970 for further information.

Comment From: sqring

看不懂