Clarify that spring.security.filter properties only apply to servlet-based web apps

[tgeens]

Should it be documented (or fixed) that spring.security.filter.order is ignored in the reactive stack ?

Context: I'm trying to convert an auto-configuration-enabled library to the reactive-stack. It uses a filter that should be registered before the spring-security-filter. The servlet variant is using SecurityProperties.getFilter().getOrder() as a best-effort attempt to find out the order of the spring-security-filter.

WebFluxSecurityConfiguration uses a fixed @Order(WEB_FILTER_CHAIN_FILTER_ORDER) - but the WEB_FILTER_CHAIN_FILTER_ORDER is a magic number, with only package visiblity.

[wilkinsona]

This feels like an oversight to me. I think we should explore applying the property to the reactive stack.

[wilkinsona]

It occurs to me that applying spring.security.filter.order to the reactive stack will create confusion with the spring.security.filter.dispatcher-types property which is Servlet-specific. If we want the order property to apply to be web stacks, we may need to rename spring.security.filter.dispatcher-types to make it clear that it's Servlet-specific.

[wilkinsona]

As things stand, I don't think we can implement this. As @tgeens has noted above, WebFluxSecurityConfiguration hardcodes the order of the filter on the @Bean method. The order specified on a bean definition's factory method (the @Bean method in this case) is the primary source of its order. This method exists on a package-private class that is part of Spring Security so there's no much we can do about it.

Without changes to Spring Security, I think the best that we can do here is to make it clearer that the spring.security.filter properties only apply to Servlet-based apps. We could do that just be updating their descriptions. We could also consider deprecating the current properties and adding servlet-specific replacements, for example by moving them to spring.security.servlet.filter. Flagging for team discussion so that we can decide what to do.

@tgeens In your situation, I believe you can safely assume that the security filter in a reactive app will have the hardcoded order -100 as there's no way to change it at the moment.

[bclozel]

There's a section in the reference documentation that we can revisit as part of this issue if we want to do so.