Q1. Question1: In Spring Security, what exactly does the annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)do?

一季度。问题一：在 Spring Security 中，注解究竟是@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)做什么的？

What it does is well explained in the documentation you quoted.

它的作用在您引用的文档中得到了很好的解释。

To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).

要在不更改任何其他自动配置功能的情况下覆盖访问规则，请添加类型为 WebSecurityConfigurerAdapter 的 @Bean @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)。

But then WebSecurityConfigurerAdapter, which has @Order(100), takes higher priority.

但是WebSecurityConfigurerAdapter，具有 的@Order(100)具有更高的优先级。

No.

不。

You should be careful about this part autoconfigured features. Using @EnableAutoConfigurationwhich is a part of @SpringBootApplication, a lot of things are auto-configured and 100is not a auto-configured value but a hard-coded value on the WebSecurityConfigurerAdapterclass.

你应该小心这部分autoconfigured features。使用@EnableAutoConfigurationwhich 是 的一部分@SpringBootApplication，很多东西都是自动配置的，100不是自动配置的值，而是类上的硬编码值WebSecurityConfigurerAdapter。

You can find order values used for auto-configuring for Spring Security in SecurityPropertiesclass and you can find out that the value of ACCESS_OVERRIDE_ORDERis the lowest which means it takes the highest priority.

您可以在SecurityPropertiesclass 中找到用于 Spring Security 自动配置的 order 值，您可以发现 的值ACCESS_OVERRIDE_ORDER最低，这意味着它具有最高优先级。

Where are they auto-confitured?

它们在哪里自动配置？

You can find that @Order(SecurityProperties.BASIC_AUTH_ORDER)is used in SpringBootWebSecurityConfigurationclass.

你会发现它@Order(SecurityProperties.BASIC_AUTH_ORDER)是在SpringBootWebSecurityConfiguration课堂上使用的。

Then when is the annotation @Order(100)of WebSecurityConfigurerAdapterused?

然后，当被注释@Order(100)的WebSecurityConfigurerAdapter使用呢？

For example, if you disable the auto-configuring by adding @EnableWebSecurity, the value would be used. As the value 100takes too high priority, it'd be better to put @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)annotation in your custom class in the case.

例如，如果您通过添加禁用自动配置@EnableWebSecurity，则将使用该值。由于该值的100优先级太高，最好@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)在案例中将注释放在您的自定义类中。

Q2. Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, what should I use

Q2。基于上述各种安全功能的排序，如果我想覆盖管理端点和应用程序其余部分的默认规则，我应该使用什么

Use ManagementServerProperties ACCESS_OVERRIDE_ORDER.

使用ManagementServerProperties ACCESS_OVERRIDE_ORDER.

It takes higher priority so you must use it if you want to override default rules for all end points. You can see how the values are set if you open the ManagementServerPropertiesclass.

它具有更高的优先级，因此如果要覆盖所有端点的默认规则，则必须使用它。如果您打开ManagementServerProperties类，您可以看到这些值是如何设置的。

In SecurityProperties

在 SecurityProperties

int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39
int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41

In ManagementServerProperties

在 ManagementServerProperties

int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36
int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35

In the comment, 39means 21474839, I've omitted the first 6 digits for readability.

在评论中，39意思是21474839，为了便于阅读，我省略了前 6 位数字。

SecurityPropertiesno longer defines the ACCESS_OVERRIDE_ORDERconstant for the @Order annotation. However, Spring Boot no longer defines any security details if the application does, so we do not need the @Order annotation on the security @Configuration class and can be removed.

SecurityProperties不再为 @Order 注释定义ACCESS_OVERRIDE_ORDER常量。但是，如果应用程序定义了任何安全细节，Spring Boot 就不再定义任何安全细节，因此我们不需要安全性 @Configuration 类上的 @Order 注解，并且可以将其移除。