ResourceServerProperties DEFAULT filterOrder is not 0.

[MysteryAngle]

Spring Boot 1.5.1
spring-cloud-dependencies:Camden.SR5

ResourceServerProperties is activated when I use both the authorization service and the resource service on the same server at the same time, but filterOrder default value is SecurityProperties.ACCESS_OVERRIDE_ORDER - 1, which will cause the AnyRequestMatcher of the custom WebSecurityConfigurerAdapter. OAuth2AuthenticationProcessingFilter will never be used.

[frankskywalker]

@MysteryAngle
I run into the same issue when upgrade to Spring Boot 1.5.1.
I'm currently trying to workaround this issue.
If you have a working example, could you share some info here?

[jgrandja]

@MysteryAngle @frankskywalker The default order for the Resource Server filter chain has been changed in Spring Boot 1.5.0. It's documented here.

To restore the previous order, take a look at this comment.

Essentially, add this configuration in your application.yml

security.oauth2.resource.filter-order=3

I'm going to close this issue as this should solve it for you.

[frankskywalker]

@jgrandja
It did solve my problem, thanks.
But still I don't understand the reason of the result.
My UserService is both a AuthenticationService and a ResourceService, and after I updated to 1.5.1, I found that the Oauth2AuthenticationProcessingFilter was missing in the Spring Security Filter Chain.
Would you kindly explain why the order of filter will cause its absence in the filter chain.

I'm struggling to understand the overall structure and design of the Spring Oauth after I've gone through all the official docs. Should I read from the source code, or any other material I should look at first ?

With 1.4.3 I have Oauth2AuthenticationProcessingFilter in the Filter Chain

With 1.5.1 the Oauth2AuthenticationProcessingFilter is missing.

[jgrandja]

@frankskywalker Do you have a custom WebSecurityConfigurerAdapter configured in your app? If you do, (which I'm thinking you do), then it may be the first one in the ordered FilterChainProxy.filterChains list. And likely, it has a AnyRequestMatcher which will match all the time and ignore any other SecurityFilterChain in that list, including the @EnableResourceServer SecurityFilterChain. So the OAuth2AuthenticationProcessingFilter is not actually missing but in fact the filter chain it's associated with is never getting applied/called because of the ordering.

[MysteryAngle]

It's work for me thanks.

[frankskywalker]

@jgrandja Thanks for the explanation.

[atrifyllis]

@frankskywalker Do you have form login enabled? Do you have a working example that I can take a look at? I am also trying to combine auth and resource server and when I change filter order as suggested I can't get to the login page.

[emailalosha]

For latest release of Spring boot 2.5.1 and corresponding spring security starter which I am working on right now - the property security.oauth2.resource.filter-order=3 is not exist.

So you can use below annotation on top of resource server config class

@order(value = 3)