I'm using
- Spring Boot 3.2.5
- Spring Security 6.2.4
Describe the bug
While playing around with Custom DSL, I noticed adding an anonymous configurer does not work
To Reproduce
@Configuration
@EnableWebSecurity
public class Config {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.with(new MyCustomDsl(), withDefaults())
.build();
}
}
public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.anonymous(anonymous -> anonymous.principal("myAnonymousUser"));
}
}
Expected behavior
I expected the anonymous principal to be myAnonymousUser, but the actual result was anonymousUser, which is the default name set by AnonymousConfigurer.
Sample
https://github.com/shihyuho/anonymous-configurer-issue
Additional Notes
Upon tracing the code, the reason appears to be:
In HttpSecurityConfiguration, .anonymous(withDefaults()) is already set once when creating HttpSecurity instance, and in the init method of AnonymousConfigurer, the authenticationFilter is initialized.
As a result, although the principal can still be changed later with custom DSL, the filter is not recreated, which prevents the changes from taking effect.
Comment From: kse-music
I think to modify the added Configurer, you need to modify it before building like so
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.anonymous(anonymous -> anonymous.principal("myAnonymousUser"))
.with(new MyCustomDsl(), withDefaults())
.build();
}
Comment From: shihyuho
I think to modify the added
Configurer, you need to modify it before building like so
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http .anonymous(anonymous -> anonymous.principal("myAnonymousUser")) .with(new MyCustomDsl(), withDefaults()) .build(); }
Thank you for your suggestion @kse-music , but this is not what I am looking for. The document mentions that it is possible to add other configurers to a custom DSL:
Therefore, I'm planning to design some custom DSLs targeted at our common scenarios, providing a quick configuration to configure HttpSecurity for developers.
Comment From: kse-music
If the init method of the custom Configurersupports modifying the configuration of the Configurerthat has been added to HttpSecurity, can I understand that because the custom Configureris initialized last, it will cause inconsistency of the behavior in the init method and the configure method. For example like so:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.with(new MyCustomDsl(), withDefaults())
.build();
}
static class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.sessionManagement(c -> c.enableSessionUrlRewriting(true).sessionCreationPolicy(SessionCreationPolicy.STATELESS));
}
}
When the SessionManagementConFigurerinitializes, the variable enableSessionUrlrewroting = false, sessionPolicy = if_required in init method, but the variable enableSessionUrlrewroting = true, sessionPolicy = STATELESS in configure method.
I think there are still some Configurer like this
@jzheaux I don’t know what I understand, right?