These classes extend the AbstractHttpConfigurer abstract class. However, they do not utilize any methods defined in the org.springframework.security.config.annotation.SecurityConfigurer interface.
Spring Security expects the following sequence when configuring HttpSecurity:
http.with(someConfigurer, itsCustomizer) is invoked during the construction of the HttpSecurity instance.
During the building of the HttpSecurity instance, the init() and then the configure() methods of all added configurers are called.
The current implementations of Jmix configurers (AnonymousConfigurer, AuthorizedApiUrlsConfigurer, etc.) do not follow this approach. Instead, they use a workaround by overriding the setBuilder() method.
Problem Description
The Jmix security add-on includes several classes known as configurers:
io.jmix.security.configurer.AnonymousConfigurerio.jmix.security.configurer.AuthorizedApiUrlsConfigurerio.jmix.security.configurer.RememberMeConfigurerio.jmix.security.configurer.SessionManagementConfigurerThese classes extend the
AbstractHttpConfigurerabstract class. However, they do not utilize any methods defined in theorg.springframework.security.config.annotation.SecurityConfigurerinterface.Spring Security expects the following sequence when configuring
HttpSecurity:http.with(someConfigurer, itsCustomizer)is invoked during the construction of the HttpSecurity instance.HttpSecurityinstance, theinit()and then theconfigure()methods of all added configurers are called.The current implementations of Jmix configurers (
AnonymousConfigurer,AuthorizedApiUrlsConfigurer, etc.) do not follow this approach. Instead, they use a workaround by overriding thesetBuilder()method.Possible Improvement
We could replace invocations like:
with a static helper method invocation:
Using a static helper method invocation more clearly indicates how and when the code from the "configurer" will be applied.