Spring Security SecurityFilterChain order chain wrong under certain conditions

Describe the bug I'm not sure if it's a spring security or spring core bug. I've tried to do some debugging, but no idea how and where the beans get instantiated. I'm using spring boot 2.7.0 with it's defaults version dependencies.

To Reproduce Have 3 Files:

@EnableWebSecurity(debug = true)
public class SecurityConfig {
    @Autowired
    UserDetailsService userDetailsService;

    @Autowired
    DataSource dataSource;

    @Bean
    @Order(Ordered.LOWEST_PRECEDENCE)
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
}
}

@Configuration
public class SecurityAuthorizationServerConfig {

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http,
            CorsConfigurationSource corsConfig) throws Exception {
}}

@Configuration
public class SecurityResourceServerConfig {
    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain resourceSecurityFilterChain(HttpSecurity http,
            CorsConfigurationSource corsConfig) throws Exception {
}
}

Like that the order is wrong. It is - authorizationServerSecurityFilterChain - defaultSecurityFilterChain - resourceSecurityFilterChain.

But when doing it like that: putting authorizationServerSecurityFilterChain and defaultSecurityFilterChain into the same class , forwhat ever reason, we get the right order: - authorizationServerSecurityFilterChain, - resourceSecurityFilterChain, - defaultSecurityFilterChain

@EnableWebSecurity(debug = true)
public class SecurityConfig {
    @Autowired
    UserDetailsService userDetailsService;

    @Autowired
    DataSource dataSource;

    @Bean
    @Order(Ordered.LOWEST_PRECEDENCE)
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
}
}

@Configuration
public class SecurityAuthorizationServerConfig {

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http,
            CorsConfigurationSource corsConfig) throws Exception {
    }

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain resourceSecurityFilterChain(HttpSecurity http,
            CorsConfigurationSource corsConfig) throws Exception {
    }
}

Expected behavior to always get the same order

Comment From: jzheaux

You can eliminate Spring Security by trying the same thing without a Spring Security component. Please try this before proceeding further with your bug report.

If you feel like this is a Spring Security bug, will you please share a minimal sample via GitHub? Otherwise, please post your question to StackOverflow as that is the preferred place for questions.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.