These classes extend the AbstractHttpConfigurer abstract class. However, they do not utilize any methods defined in the org.springframework.security.config.annotation.SecurityConfigurer interface.
Spring Security expects the following sequence when configuring HttpSecurity:
http.with(someConfigurer, itsCustomizer) is invoked during the construction of the HttpSecurity instance.
During the building of the HttpSecurity instance, the init() and then the configure() methods of all added configurers are called.
The current implementations of Jmix configurers (AnonymousConfigurer, AuthorizedApiUrlsConfigurer, etc.) do not follow this approach. Instead, they use a workaround by overriding the setBuilder() method.
Problem Description
The Jmix security add-on includes several classes known as configurers:
io.jmix.security.configurer.AnonymousConfigurer
io.jmix.security.configurer.AuthorizedApiUrlsConfigurer
io.jmix.security.configurer.RememberMeConfigurer
io.jmix.security.configurer.SessionManagementConfigurer
These classes extend the
AbstractHttpConfigurer
abstract class. However, they do not utilize any methods defined in theorg.springframework.security.config.annotation.SecurityConfigurer
interface.Spring Security expects the following sequence when configuring
HttpSecurity
:http.with(someConfigurer, itsCustomizer)
is invoked during the construction of the HttpSecurity instance.HttpSecurity
instance, theinit()
and then theconfigure()
methods of all added configurers are called.The current implementations of Jmix configurers (
AnonymousConfigurer
,AuthorizedApiUrlsConfigurer
, etc.) do not follow this approach. Instead, they use a workaround by overriding thesetBuilder()
method.Possible Improvement
We could replace invocations like:
with a static helper method invocation:
Using a static helper method invocation more clearly indicates how and when the code from the "configurer" will be applied.