@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security

SecurityProperties no longer defines the ACCESS_OVERRIDE_ORDER constant for the @Order annotation. However, Spring Boot no longer defines any security details if the application does, so we do not need the @Order annotation on the security @Configuration class and can be removed.

Q1. Question1: In Spring Security, what exactly does the annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) do?

What it does is well explained in the documentation you quoted.

To override the access rules without changing any other autoconfigured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).

But then WebSecurityConfigurerAdapter, which has @Order(100), takes higher priority.

No.

You should be careful about this part autoconfigured features. Using @EnableAutoConfiguration which is a part of @SpringBootApplication, a lot of things are auto-configured and 100 is not a auto-configured value but a hard-coded value on the WebSecurityConfigurerAdapter class.

You can find order values used for auto-configuring for Spring Security in SecurityProperties class and you can find out that the value of ACCESS_OVERRIDE_ORDER is the lowest which means it takes the highest priority.

Where are they auto-confitured?

You can find that @Order(SecurityProperties.BASIC_AUTH_ORDER) is used in SpringBootWebSecurityConfiguration class.

Then when is the annotation @Order(100) of WebSecurityConfigurerAdapter used?

For example, if you disable the auto-configuring by adding @EnableWebSecurity, the value would be used. As the value 100 takes too high priority, it'd be better to put @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) annotation in your custom class in the case.

Q2. Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, what should I use

Use ManagementServerProperties ACCESS_OVERRIDE_ORDER.

It takes higher priority so you must use it if you want to override default rules for all end points. You can see how the values are set if you open the ManagementServerProperties class.

In SecurityProperties

int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39
int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41

In ManagementServerProperties

int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36
int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35

In the comment, 39 means 21474839, I've omitted the first 6 digits for readability.