Reputation: 1
Spring-Security.. 5.1.5 RELEASE to Spring -Security.. 5.4.6 breaks security configuration
Summary Updated Spring boot project from 2.1.5 RELEASE to 2.4.5 Version. It automictically updated all Spring Security dependencies from version Spring-Security.. 5.1.5 RELEASE to Spring -Security.. 5.4.6 breaks security configuration
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: Can't configure anyRequest after itself at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.3.6.jar:5.3.6] at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.6.jar:5.3.6] ... 28 more Caused by: java.lang.IllegalStateException: Can't configure anyRequest after itself at org.springframework.util.Assert.state(Assert.java:76) ~[spring-core-5.3.6.jar:5.3.6] at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.anyRequest(AbstractRequestMatcherRegistry.java:72) ~[spring-security-config-5.4.6.jar:5.4.6] at com.verizon.wfm.nt.config.SecurityConfig.configure(SecurityConfig.java:14) ~[default/:?] at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.getHttp(WebSecurityConfigurerAdapter.java:217) ~[spring-security-config-5.4.6.jar:5.4.6]
security configuration Working code
@EnableWebSecurity
@configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@override
protected void configure(HttpSecurity httpSecurity) throws Exception {
super.configure(httpSecurity);
httpSecurity.authorizeRequests().anyRequest().permitAll();
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
}
}
Upvotes: 0
Views: 908
Answers (1)
Reputation: 6308
When calling super.configure(httpSecurity) it does the following:
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.formLogin();
http.httpBasic();
After that, you are configuring the requests using the anyRequest again. It is not allowed in recent versions of Spring Security.
What I suggest you do is not calling the super.configure(httpSecurity) and instead disabling the defaults and configuring them, like so:
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.formLogin().disable();
httpSecurity.httpBasic().disable();
httpSecurity.authorizeRequests((requests) ->
requests.anyRequest().permitAll()
);
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
}
}
Upvotes: 0
Related Questions
- Getting "Can't configure anyRequest after itself" error after upgrading spring-security-web to 5.6.9
- Spring Security-Configuration seems to have no effect
- Spring Boot Upgrade 2.4.5 to 2.5 issue: NPE springSecurityFilterChain
- Upgrading to Spring Security 4 breaks login
- Spring security no longer redirects to login page after upgrade to from Spring Boot 1.5-2,Spring Security 4-5
- Spring security role issue after upgrade from 3.4 to 5
- Spring-Boot & Spring-Security Configuration
- Spring security error with boot 1.1.5.RELEASE
- Update from Spring-security-3 to Spring-security-4 caused XML error
- Broken upgrade from Spring security 3.2.7 to 4.0.1