Fail when several filter chains have the same securityMatcher

[franticticktick]

Related #15220

@Bean 
@Order(0)
SecurityFilterChain app(HttpSecurity http) throws Exception {
    http
        .securityMatcher("/app/**")
        .authorizeHttpRequests(...)
        .formLogin(...)

    return http.build();
}

@Bean 
@Order(1)
SecurityFilterChain api(HttpSecurity http) throws Exception {
    http
    	.securityMatcher("/app/**")
        .authorizeHttpRequests(...)
        .httpBasic(...)

    return http.build();
}

Is it correct to allow filter chains with the same matcher to be created? As far as I understand, this is the same case.

[jzheaux]

Interestingly, DefaultFilterChainValidator already contains this check. I think it could be valuable to change the way WebSecurity works to use this filter chain validator. I'm not sure why it was originally excluded, so it may not work; however, I think it's worth considering.

[franticticktick]

FilterChainProxy does not validate itself after the bean is created, because the filterChainValidator is NullFilterChainValidator, not DefaultFilterChainValidator.

private FilterChainValidator filterChainValidator = new NullFilterChainValidator();

It seems that DefaultFilterChainValidator it is not used anywhere.

[jzheaux]

It's used by the XML support. I'm not sure why it's not used by the Java support. I think it would be reasonable to try using it to close this ticket.

[franticticktick]

DefaultFilterChainValidator is implemented in the config module, and FilterChainProxy is implemented in the web module, perhaps this is the reason. I can make a private copy of the DefaultFilterChainValidator in the web module, but ideally I would want to remove the duplication.

[jzheaux]

I don't think that will be needed since where the validator is set is in a config class (WebSecurity, I believe). IOW, we should be able to do:

filterChainProxy.setFilterChainValidator(new DefaultFilterChainValidator())

DefaultFilterChainValidator would likely need to be updated with the error message enhancements already added in WebSecurity; otherwise I imagine it may be a drop-in replacement.

[franticticktick]

The main problem here is DefaultFilterChainValidator, checkForDuplicateMatchers method is not working. The chain.getRequestMatcher().equals(((DefaultSecurityFilterChain) test).getRequestMatcher()) test will never give true, because equals operation is not defined. I see one way out - this is to override equals for all RequestMatchers.