From 8e4d61adf5bf769ff40233ef140bfdf853c565fc Mon Sep 17 00:00:00 2001
From: Charles Haynes <haynescd@chop.edu>
Date: Fri, 1 Nov 2024 12:19:43 -0400
Subject: [PATCH] :lock: Update Default Filter Chain Ordering for Spring
 Security

---
 .../java/org/cbioportal/security/config/ApiSecurityConfig.java | 3 +++
 .../org/cbioportal/security/config/OAuth2SecurityConfig.java   | 1 +
 2 files changed, 4 insertions(+)

diff --git a/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java b/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java
index fccec0bfad8..0719a081ddb 100644
--- a/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java
+++ b/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java
@@ -8,6 +8,8 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
 import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -30,6 +32,7 @@ public class ApiSecurityConfig {
     // see: "Creating and Customizing Filter Chains" @ https://spring.io/guides/topicals/spring-security-architecture
 
     @Bean
+    @Order(Ordered.HIGHEST_PRECEDENCE)
     public SecurityFilterChain securityFilterChain(HttpSecurity http, @Nullable DataAccessTokenService tokenService) throws Exception {
         http.csrf(AbstractHttpConfigurer::disable)
             // This filter chain only grabs requests to the '/api' path.
diff --git a/src/main/java/org/cbioportal/security/config/OAuth2SecurityConfig.java b/src/main/java/org/cbioportal/security/config/OAuth2SecurityConfig.java
index c13c5226586..fd3b8b48b3f 100644
--- a/src/main/java/org/cbioportal/security/config/OAuth2SecurityConfig.java
+++ b/src/main/java/org/cbioportal/security/config/OAuth2SecurityConfig.java
@@ -48,6 +48,7 @@ public class OAuth2SecurityConfig {
     private static final String LOGIN_URL = "/login";
 
     @Bean
+    @Order(1)
     public SecurityFilterChain filterChain(HttpSecurity http, ClientRegistrationRepository clientRegistrationRepository) throws Exception {
         http.csrf(AbstractHttpConfigurer::disable)
             .cors(Customizer.withDefaults())