Merge branch '5.8.x' into 6.0.x

Closes gh-12687

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -3051,7 +3051,12 @@ public HttpSecurity addFilterBefore(Filter filter, Class<? extends Filter> befor
 	}
 
 	private HttpSecurity addFilterAtOffsetOf(Filter filter, int offset, Class<? extends Filter> registeredFilter) {
-		int order = this.filterOrders.getOrder(registeredFilter) + offset;
+		Integer registeredFilterOrder = this.filterOrders.getOrder(registeredFilter);
+		if (registeredFilterOrder == null) {
+			throw new IllegalArgumentException(
+					"The Filter class " + registeredFilter.getName() + " does not have a registered order");
+		}
+		int order = registeredFilterOrder + offset;
 		this.filters.add(new OrderedFilter(filter, order));
 		this.filterOrders.put(filter.getClass(), order);
 		return this;

config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityDeferAddFilterTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
+import org.springframework.beans.factory.UnsatisfiedDependencyException;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -44,12 +45,29 @@
 import org.springframework.security.web.header.HeaderWriterFilter;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
 @ExtendWith(SpringTestContextExtension.class)
 public class HttpSecurityDeferAddFilterTest {
 
 	public final SpringTestContext spring = new SpringTestContext(this);
 
+	@Test
+	public void addFilterAfterFilterNotRegisteredYetThenThrowIllegalArgument() {
+		assertThatExceptionOfType(UnsatisfiedDependencyException.class)
+				.isThrownBy(
+						() -> this.spring.register(MyOtherFilterAfterMyFilterNotRegisteredYetConfig.class).autowire())
+				.havingRootCause().isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void addFilterBeforeFilterNotRegisteredYetThenThrowIllegalArgument() {
+		assertThatExceptionOfType(UnsatisfiedDependencyException.class)
+				.isThrownBy(
+						() -> this.spring.register(MyOtherFilterBeforeMyFilterNotRegisteredYetConfig.class).autowire())
+				.havingRootCause().isInstanceOf(IllegalArgumentException.class);
+	}
+
 	@Test
 	public void addFilterAfterWhenSameFilterDifferentPlacesThenOrderCorrect() {
 		this.spring.register(MyFilterMultipleAfterConfig.class).autowire();
@@ -216,6 +234,34 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	}
 
 	@Configuration
+	@EnableWebSecurity
+	static class MyOtherFilterAfterMyFilterNotRegisteredYetConfig {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.addFilterAfter(new MyOtherFilter(), MyFilter.class);
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
+	@EnableWebSecurity
+	static class MyOtherFilterBeforeMyFilterNotRegisteredYetConfig {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.addFilterBefore(new MyOtherFilter(), MyFilter.class);
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 	@EnableWebSecurity
 	static class MyOtherFilterRelativeToMyFilterBeforeConfig {