Spring Security Fail when several filter chains have the same securityMatcher

Related https://github.com/spring-projects/spring-security/issues/15220

@Bean 
@Order(0)
SecurityFilterChain app(HttpSecurity http) throws Exception {
    http
        .securityMatcher("/app/**")
        .authorizeHttpRequests(...)
        .formLogin(...)

    return http.build();
}

@Bean 
@Order(1)
SecurityFilterChain api(HttpSecurity http) throws Exception {
    http
        .securityMatcher("/app/**")
        .authorizeHttpRequests(...)
        .httpBasic(...)

    return http.build();
}

Is it correct to allow filter chains with the same matcher to be created? As far as I understand, this is the same case.

Comment From: jzheaux

Interestingly, DefaultFilterChainValidator already contains this check. I think it could be valuable to change the way WebSecurity works to use this filter chain validator. I'm not sure why it was originally excluded, so it may not work; however, I think it's worth considering.

Comment From: franticticktick

FilterChainProxy does not validate itself after the bean is created, because the filterChainValidator is NullFilterChainValidator, not DefaultFilterChainValidator.

private FilterChainValidator filterChainValidator = new NullFilterChainValidator();

It seems that DefaultFilterChainValidator it is not used anywhere.

Comment From: jzheaux

It's used by the XML support. I'm not sure why it's not used by the Java support. I think it would be reasonable to try using it to close this ticket.

Comment From: franticticktick

DefaultFilterChainValidator is implemented in the config module, and FilterChainProxy is implemented in the web module, perhaps this is the reason. I can make a private copy of the DefaultFilterChainValidator in the web module, but ideally I would want to remove the duplication.

Comment From: jzheaux

I don't think that will be needed since where the validator is set is in a config class (WebSecurity, I believe). IOW, we should be able to do:

filterChainProxy.setFilterChainValidator(new DefaultFilterChainValidator())

DefaultFilterChainValidator would likely need to be updated with the error message enhancements already added in WebSecurity; otherwise I imagine it may be a drop-in replacement.

Comment From: franticticktick

The main problem here is DefaultFilterChainValidator, checkForDuplicateMatchers method is not working. The chain.getRequestMatcher().equals(((DefaultSecurityFilterChain) test).getRequestMatcher()) test will never give true, because equals operation is not defined. I see one way out - this is to override equals for all RequestMatchers.

Comment From: franticticktick

I made the necessary changes, @jzheaux could you please review PR?