Spring Security Configuration @Order not unique exception
Solution 1
I have found the error... noone ever posts imports in snippets. We are using a multi module project setup, and IntelliJ didn't recognise the Spring annotations and used
org.apache.logging.log4j.core.config.Order
instead of
org.springframework.core.annotation.Order
Since Spring didn't parse the correct annotations, it was assuming the default value 100 for both configurations.
Solution 2
Maybe you have annotated another class with the @EnableWebSecurity annotation. Be aware that only one class can implement this annotation. Hope that will help!
Solution 3
It may be worth noting, the @Order annotation should be at the class level. This is a bit confusing since @Journeycorner configuration is a multiclass example. My example with imports :)
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import com.someco.entity.User;
import com.someco.service.SpringDataJpaUserDetailsService;
@Configuration("CustomSecurityConfig")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(1000)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private SpringDataJpaUserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(this.userDetailsService)
.passwordEncoder(User.PASSWORD_ENCODER);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/built/**", "/main.css").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.defaultSuccessUrl("/", true)
.permitAll()
.and()
.httpBasic()
.and()
.csrf().disable()
.logout()
.logoutSuccessUrl("/");
}
}
Solution 4
Usually, this exception occurs when the same bean is resolved twice.
For example if a @Configuration
file imports an applicationContext.xml that resolve the same bean, when the application starts tries to register it (in your case MultiHttpSecurityConfig
) twice, and you get this error.
I resolved the error removing the bean definition from the XML.
Solution 5
Putting @Order(1000) on the second WebSecurityConfigurerAdapter worked for me
Journeycorner
Updated on February 26, 2021Comments
-
Journeycorner about 3 years
I've tried to register multiple filters in my Spring Security Configuration, however I always get the same exception:
04-Nov-2015 14:35:23.792 WARNING [RMI TCP Connection(3)-127.0.0.1] org.springframework.web.context.support.AnnotationConfigWebApplicationContext.refresh Exception encountered during context initialization - cancelling refresh attempt org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Injection of autowired dependencies failed; nested exception is java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used, so it cannot be used on com.payment21.webapp.MultiHttpSecurityConfig$ApiWebSecurityConfigurationAdapter$$EnhancerBySpringCGLIB$$35c79fe4@1d381684 too.
Since my own attempts didn't work, I tried the exact same code as shown in the Spring Security reference:
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }
To isolate the error I tried to replace the web.xml by a Java based approach, but it didn't work either. I have no idea what's wrong, is the doc wrong? Can something in my application mess with the configuation? System is starting up properly, unless I register a second WebSecurityConfigAdapter.
Those are my dependencies:
compile 'org.springframework:spring-webmvc:4.2.2.RELEASE' compile 'org.springframework:spring-messaging:4.2.2.RELEASE' compile 'org.springframework:spring-websocket:4.2.2.RELEASE' compile 'org.springframework:spring-aop:4.2.2.RELEASE' compile'javax.servlet:javax.servlet-api:3.0.1' compile 'org.springframework.security:spring-security-web:4.0.3.RELEASE' compile 'org.springframework.security:spring-security-config:4.0.3.RELEASE'
-
Journeycorner over 8 yearsChecked every java file for "@Order", nothing. Is it possible to have a "implicit" "@Order" like in an XML-file?
-
Imrank over 8 yearsIf you see the stacktrace it is clearly mentioning that "WebSecurityConfigurerAdapter" is having @order(100)
-
We are Borg over 8 yearsThat's some deep stuff.. :-)
-
Thomas Beauvais almost 8 yearsHow did you resolve this? I have the exact problem when compiling with IDEA. I have no @Order in my application, yet still it's getting very confused on the WebSecurityConfigurerAdapter!
-
eis about 6 years100 is the default, no need to mention it anywhere
-
William Miranda de Jesus almost 6 yearsI changed my order value to 1000, then in my class I added @Order(1000) and this worked for me
-
Stephane almost 6 yearsAre you copy pasting others answers ?
-
Stephane almost 6 yearsI had the security bean resolved twice. Once being loaded by a
@ComponentScan
annotation that included the directory containing the security bean. And another time by the@SpringBootApplication
annotation that is sitting in that same directory. After removing the directory include attribute, the issue was gone. -
Ullas Hunka over 4 yearsUse the
@Order(1000)
in the SecurityConfiguration class -
chirag soni about 4 yearswhich directory you are talking about?
-
Mattias Lindblom over 2 years@ThomasBeauvais, You probably solved it already but for future reference. Your issue are not caused by bad use of Ordet but the lack of it. When no order are specified Configuration defaults to Order(100). So if you have several classes extending WebSecurityConfigurerAdapter or like me and Journeycorner imports the wrong Order annotation class you get this error.
-
Nguyễn Đức Tâm over 2 yearsWhat if I would like to have another @EnabledWebSecurity for testing purposes?