Given that TargetVisitor instances are ordered, it's important that applications have a way to clearly indicate whether their TargetVisitor comes before or after Spring Security visitors. With WebTargetVisitor being set to LOWEST_PRECEDENCE, an application cannot guarantee that their visitor would evaluate after WebTargetVisitor, should they want that.
One specific issue can be seen with the following bean declaration:
@Bean
TargetVisitor skipValueTypes() {
return TargetVisitor.defaultsSkipValueTypes();
}Since both this and WebTargetVisitor use LOWEST_PRECEDENCE, Spring cannot guarantee a deterministic ordering. Also, there is no way to guarantee an ordering other than this bean coming before WebTargetVisitor.
If WebTargetVisitor has a precedence of 100, then the above bean definition's intent is clear that it should not override WebTargetVisitor's behavior. It could now also state a precedence of 0, stating that it intends to visit the proxy before WebTargetVisitor does.
Similarly to AuthorizationInterceptorsOrder and FilterOrderRegistration, each Spring Security visitor should have a different value with a reasonable gap in between to simplify placement.
This change should be based on the 6.5.x branch and should include tests that demonstrate that a custom visitor can be published deterministically before or after Spring Security's TargetVisitor implementations.
Given that
TargetVisitorinstances are ordered, it's important that applications have a way to clearly indicate whether theirTargetVisitorcomes before or after Spring Security visitors. WithWebTargetVisitorbeing set toLOWEST_PRECEDENCE, an application cannot guarantee that their visitor would evaluate afterWebTargetVisitor, should they want that.One specific issue can be seen with the following bean declaration:
Since both this and
WebTargetVisitoruseLOWEST_PRECEDENCE, Spring cannot guarantee a deterministic ordering. Also, there is no way to guarantee an ordering other than this bean coming beforeWebTargetVisitor.If
WebTargetVisitorhas a precedence of100, then the above bean definition's intent is clear that it should not overrideWebTargetVisitor's behavior. It could now also state a precedence of0, stating that it intends to visit the proxy beforeWebTargetVisitordoes.Similarly to
AuthorizationInterceptorsOrderandFilterOrderRegistration, each Spring Security visitor should have a different value with a reasonable gap in between to simplify placement.This change should be based on the
6.5.xbranch and should include tests that demonstrate that a custom visitor can be published deterministically before or after Spring Security'sTargetVisitorimplementations.