Spring Security Configuration @Order not unique exception

java spring spring-security configuration

48,793

Solution 1

I have found the error... noone ever posts imports in snippets. We are using a multi module project setup, and IntelliJ didn't recognise the Spring annotations and used

org.apache.logging.log4j.core.config.Order

instead of

org.springframework.core.annotation.Order

Since Spring didn't parse the correct annotations, it was assuming the default value 100 for both configurations.

Solution 2

Maybe you have annotated another class with the @EnableWebSecurity annotation. Be aware that only one class can implement this annotation. Hope that will help!

Solution 3

It may be worth noting, the @Order annotation should be at the class level. This is a bit confusing since @Journeycorner configuration is a multiclass example. My example with imports :)

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import com.someco.entity.User;
import com.someco.service.SpringDataJpaUserDetailsService;

@Configuration("CustomSecurityConfig")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(1000)                                                        
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private SpringDataJpaUserDetailsService userDetailsService;

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .userDetailsService(this.userDetailsService)
            .passwordEncoder(User.PASSWORD_ENCODER);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/built/**", "/main.css").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .defaultSuccessUrl("/", true)
            .permitAll()
            .and()
        .httpBasic()
            .and()
        .csrf().disable()
        .logout()
            .logoutSuccessUrl("/");
}

}

Solution 4

Usually, this exception occurs when the same bean is resolved twice. For example if a @Configuration file imports an applicationContext.xml that resolve the same bean, when the application starts tries to register it (in your case MultiHttpSecurityConfig) twice, and you get this error.

I resolved the error removing the bean definition from the XML.

Solution 5

Putting @Order(1000) on the second WebSecurityConfigurerAdapter worked for me

View more solutions

48,793

Author by

Journeycorner

Updated on February 26, 2021

Comments

Journeycorner about 3 years

I've tried to register multiple filters in my Spring Security Configuration, however I always get the same exception:

04-Nov-2015 14:35:23.792 WARNING [RMI TCP Connection(3)-127.0.0.1] org.springframework.web.context.support.AnnotationConfigWebApplicationContext.refresh Exception encountered during context initialization - cancelling refresh attempt org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Injection of autowired dependencies failed; nested exception is java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used, so it cannot be used on com.payment21.webapp.MultiHttpSecurityConfig$ApiWebSecurityConfigurationAdapter$$EnhancerBySpringCGLIB$$35c79fe4@1d381684 too.

Since my own attempts didn't work, I tried the exact same code as shown in the Spring Security reference:

@EnableWebSecurity
public class MultiHttpSecurityConfig {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) { 
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER").and()
                .withUser("admin").password("password").roles("USER", "ADMIN");
    }

    @Configuration
    @Order(1)                                                        
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/**")                               
                .authorizeRequests()
                    .anyRequest().hasRole("ADMIN")
                    .and()
                .httpBasic();
        }
    }

    @Configuration                                                   
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .formLogin();
        }
    }
}

To isolate the error I tried to replace the web.xml by a Java based approach, but it didn't work either. I have no idea what's wrong, is the doc wrong? Can something in my application mess with the configuation? System is starting up properly, unless I register a second WebSecurityConfigAdapter.

Those are my dependencies:

compile 'org.springframework:spring-webmvc:4.2.2.RELEASE'
compile 'org.springframework:spring-messaging:4.2.2.RELEASE'
compile 'org.springframework:spring-websocket:4.2.2.RELEASE'
compile 'org.springframework:spring-aop:4.2.2.RELEASE'
compile'javax.servlet:javax.servlet-api:3.0.1'
compile 'org.springframework.security:spring-security-web:4.0.3.RELEASE'
compile 'org.springframework.security:spring-security-config:4.0.3.RELEASE'

Journeycorner over 8 years

Checked every java file for "@Order", nothing. Is it possible to have a "implicit" "@Order" like in an XML-file?
Imrank over 8 years

If you see the stacktrace it is clearly mentioning that "WebSecurityConfigurerAdapter" is having @order(100)
We are Borg over 8 years

That's some deep stuff.. :-)
Thomas Beauvais almost 8 years

How did you resolve this? I have the exact problem when compiling with IDEA. I have no @Order in my application, yet still it's getting very confused on the WebSecurityConfigurerAdapter!
eis about 6 years

100 is the default, no need to mention it anywhere
William Miranda de Jesus almost 6 years

I changed my order value to 1000, then in my class I added @Order(1000) and this worked for me
Stephane almost 6 years

Are you copy pasting others answers ?
Stephane almost 6 years

I had the security bean resolved twice. Once being loaded by a @ComponentScan annotation that included the directory containing the security bean. And another time by the @SpringBootApplication annotation that is sitting in that same directory. After removing the directory include attribute, the issue was gone.
Ullas Hunka over 4 years

Use the @Order(1000) in the SecurityConfiguration class
chirag soni about 4 years

which directory you are talking about?
Mattias Lindblom over 2 years

@ThomasBeauvais, You probably solved it already but for future reference. Your issue are not caused by bad use of Ordet but the lack of it. When no order are specified Configuration defaults to Order(100). So if you have several classes extending WebSecurityConfigurerAdapter or like me and Journeycorner imports the wrong Order annotation class you get this error.
Nguyễn Đức Tâm over 2 years

What if I would like to have another @EnabledWebSecurity for testing purposes?