Rework security auto-configuration

[philwebb]

As discussed with @rwinch we would like to significantly simplify security configuration in 2.0.

[kakawait]

Any details about rework? Or links to discussion if publicly accessible.

[wilkinsona]

@kakawait Not yet, no. The work's scheduled for 2.0.0.M5 so it's a little way off yet.

[kakawait]

@wilkinsona Ok thank you for respond I will continue to track the issue.

Just to be sure I was not asking about definite implementations but Which part do you want to simplicy and globally how (if you know)? If you understand previous comment like that please do not repeat yourself 🔁 I will wait hihi

[wilkinsona]

Our main concern is with the various WebSecurityConfigurerAdapter classes that are auto-configured and use "magic" numbers to order themselves. This had proven to be a source of confusion and bugs. IIRC, the outcome of the discussion with @rwinch is that we should do less automatically, and instead provide helper methods and classes to allow users to easily piece Boot's opinionated view of Spring Security together.

[rwinch]

@wilkinsona is correct. Part of the problem now is that Boot sometimes works by using multiple WebSecurityConfigurerAdapters and cannot apply the logic to user provided WebSecurityConfigurerAdapters.

[kakawait]

Ok thank for clarification.

I completely understand since I was facing such issues and it takes many time to understand well how order and overriding works when using multiple WebConfigurerAdapters. I think, now, I'm mastering this subject but can be a good enhancement for futur users.