Spring Security PermitAllSupport should support AuthorizeHttpRequestsConfigurer

When using HttpSecurity#authorizeHttpRequests together with FormLoginConfigurer#permitAll, PermitAllSupport throws the error:

permitAll only works with HttpSecurity.authorizeRequests()

PermitAllSupport should allow for either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer.

Having both of these configured will make PermitAllSupport's role ambiguous, and so it should error if neither or both of those configurers are present.

Comment From: igorpele

Hi, i would like to try this. As far as I understood I should additonally try to get an AuthorizeHttpRequestsConfigurer:

AuthorizeHttpRequestsConfigurer<?> httpConfigurer = http.getConfigurer(AuthorizeHttpRequestsConfigurer.class);

and make sure that either a ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer is defined and otherwise throw "permitAll only works with HttpSecurity.authorizeRequests() or HttpSecurity.authorizeHttpRequests()"

Additionally if an AuthorizeHttpRequestsConfigurer is defined all the URLs should be registered:

if (httpConfigurer != null) {
    httpConfigurer.getRegistry().chainRequestMatchers(Arrays.asList(requestMatchers)).permitAll();
}

The only problem with this approach is that the mappings in the AuthorizationManagerRequestMatcherRegistry are stored in a LinkedHashMap and if you add anyRequest (as in PermitAllTests) to it before the permitAll requests, this entry always matches first. One possibility would be introducing a method addMatcherAt and reorder the map accordingly. Any hints on this would be highly appreciated. Thx.

Comment From: jzheaux

Hi, @igorpele! It's yours.

Yes, I think adding a package-private addMappingAt would be beneficial. It may mean reworking some of the internals of AuthorizationManagerRequestMatcherRegistry.