There seems to be something fishy going on in WebSecurityConfigurerAdapter. The symptom is that users see JSP and thymeleaf authz tags evaluating using the wrong access rules - they get handed a FilterSecurityInterceptor from only one (the last ordered) WebSecurityConfigurer. If there are multiple WebSecurityConfigurers then each of them tries to set the "postBuildAction" in the global WebSecurity instance, and it is in that action that the WebSecurity acquires its single FilterSecurityInterceptor (whereas it seems it should be accumulating rules from each of the filter chains in order).
See spring-projects/spring-boot#9696 for a sample.
There seems to be something fishy going on in
WebSecurityConfigurerAdapter. The symptom is that users see JSP and thymeleaf authz tags evaluating using the wrong access rules - they get handed aFilterSecurityInterceptorfrom only one (the last ordered)WebSecurityConfigurer. If there are multipleWebSecurityConfigurersthen each of them tries to set the "postBuildAction" in the globalWebSecurityinstance, and it is in that action that theWebSecurityacquires its singleFilterSecurityInterceptor(whereas it seems it should be accumulating rules from each of the filter chains in order).See spring-projects/spring-boot#9696 for a sample.