diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthentication.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthentication.java index acc8fef818..7ed54d433e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthentication.java +++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthentication.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,10 +39,19 @@ import org.springframework.security.config.annotation.web.servlet.configuration. * @EnableGlobalAuthentication * public class MyGlobalAuthenticationConfiguration { * - * @Autowired - * public void configureGlobal(AuthenticationManagerBuilder auth) { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") - * .and().withUser("admin").password("password").roles("USER", "ADMIN"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * UserDetails admin = User.withDefaultPasswordEncoder() + * .username("admin") + * .password("password") + * .roles("ADMIN", "USER") + * .build(); + * return new InMemoryUserDetailsManager(user, admin); * } * } * @@ -54,15 +63,24 @@ import org.springframework.security.config.annotation.web.servlet.configuration. * 
  * @Configuration
  * @EnableWebSecurity
- * public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+ * public class MyWebSecurityConfiguration {
  *
- * 	@Autowired
- * 	public void configureGlobal(AuthenticationManagerBuilder auth) {
- * 		auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
- * 				.and().withUser("admin").password("password").roles("USER", "ADMIN");
+ * 	@Bean
+ * 	public UserDetailsService userDetailsService() {
+ * 		UserDetails user = User.withDefaultPasswordEncoder()
+ * 			.username("user")
+ * 			.password("password")
+ * 			.roles("USER")
+ * 			.build();
+ * 		UserDetails admin = User.withDefaultPasswordEncoder()
+ * 			.username("admin")
+ * 			.password("password")
+ * 			.roles("ADMIN", "USER")
+ * 			.build();
+ * 		return new InMemoryUserDetailsManager(user, admin);
  * 	}
  *
- * 	// Possibly overridden methods ...
+ * 	// Possibly more bean methods ...
  * }
  *
* diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/WebSecurityConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/WebSecurityConfigurer.java index 981fdd3742..c41aa6e209 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/WebSecurityConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/WebSecurityConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,19 +23,16 @@ import org.springframework.security.config.annotation.SecurityBuilder; import org.springframework.security.config.annotation.SecurityConfigurer; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.SecurityFilterChain; /** * Allows customization to the {@link WebSecurity}. In most instances users will use - * {@link EnableWebSecurity} and either create a {@link Configuration} that extends - * {@link WebSecurityConfigurerAdapter} or expose a {@link SecurityFilterChain} bean. Both - * will automatically be applied to the {@link WebSecurity} by the - * {@link EnableWebSecurity} annotation. + * {@link EnableWebSecurity} and create a {@link Configuration} that exposes a + * {@link SecurityFilterChain} bean. This will automatically be applied to the + * {@link WebSecurity} by the {@link EnableWebSecurity} annotation. * * @author Rob Winch * @since 3.2 - * @see WebSecurityConfigurerAdapter * @see SecurityFilterChain */ public interface WebSecurityConfigurer> extends SecurityConfigurer { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index 7b12dc39b1..03a6182155 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -45,7 +45,6 @@ import org.springframework.security.config.annotation.web.AbstractRequestMatcher import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.AnonymousConfigurer; import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer; import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry; @@ -113,16 +112,22 @@ import org.springframework.web.servlet.handler.HandlerMappingIntrospector; * 
  * @Configuration
  * @EnableWebSecurity
- * public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
+ * public class FormLoginSecurityConfig {
  *
- * 	@Override
- * 	protected void configure(HttpSecurity http) throws Exception {
+ * 	@Bean
+ * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
  * 		http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin();
+ * 		return http.build();
  * 	}
  *
- * 	@Override
- * 	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
- * 		auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
+ * 	@Bean
+ * 	public UserDetailsService userDetailsService() {
+ * 		UserDetails user = User.withDefaultPasswordEncoder()
+ * 			.username("user")
+ * 			.password("password")
+ * 			.roles("USER")
+ * 			.build();
+ * 		return new InMemoryUserDetailsManager(user);
  * 	}
  * }
  *
@@ -172,17 +177,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .headers() * .contentTypeOptions() @@ -196,6 +201,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -205,13 +211,14 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .headers().disable() * ...; + * return http.build(); * } * } * @@ -225,10 +232,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .headers() * .defaultsDisabled() @@ -237,6 +244,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -248,16 +256,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .headers() * .frameOptions() * .disable() * .and() * ...; + * return http.build(); * } * } * @@ -271,21 +280,20 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configurations * - * Accepting the default provided by {@link WebSecurityConfigurerAdapter} or only - * invoking {@link #headers()} without invoking additional methods on it, is the - * equivalent of: + * Accepting the default provided by {@link EnableWebSecurity} or only invoking + * {@link #headers()} without invoking additional methods on it, is the equivalent of: * * 
 	 * @Configuration
 	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
+	 * public class CsrfSecurityConfig {
 	 *
-	 *	@Override
-	 *	protected void configure(HttpSecurity http) throws Exception {
+	 *	@Bean
+	 *	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 *		http
 	 *			.headers((headers) ->
 	 *				headers
@@ -295,6 +303,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
@@ -304,12 +313,13 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
 	 * @Configuration
 	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
+	 * public class CsrfSecurityConfig {
 	 *
-	 *	@Override
-	 *	protected void configure(HttpSecurity http) throws Exception {
+	 *	@Bean
+	 *	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.headers((headers) -> headers.disable());
+	 *		return http.build();
 	 *	}
 	 * }
 	 *
@@ -323,10 +333,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .headers((headers) -> * headers @@ -334,6 +344,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -345,15 +356,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .headers((headers) -> * headers * .frameOptions((frameOptions) -> frameOptions.disable()) * ); + * return http.build(); + * } * } * * @param headersCustomizer the {@link Customizer} to provide more options for the @@ -388,12 +401,13 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CorsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CorsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .cors(withDefaults()); + * return http.build(); * } * } * @@ -420,18 +434,24 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter { + * public class SessionManagementSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin() * .permitAll().and().sessionManagement().maximumSessions(1) * .expiredUrl("/login?expired"); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -471,10 +491,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter { + * public class SessionManagementSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -492,6 +512,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -540,19 +571,25 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter { + * public class PortMapperSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() * .permitAll().and() * // Example portMapper() configuration * .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -582,10 +619,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter { + * public class PortMapperSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .requiresChannel((requiresChannel) -> * requiresChannel @@ -596,6 +633,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -624,13 +672,14 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class JeeSecurityConfig extends WebSecurityConfigurerAdapter { + * public class JeeSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and() * // Example jee() configuration * .jee().mappableRoles("USER", "ADMIN"); + * return http.build(); * } * } * @@ -695,10 +744,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class JeeSecurityConfig extends WebSecurityConfigurerAdapter { + * public class JeeSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -708,6 +757,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -774,13 +824,14 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class X509SecurityConfig extends WebSecurityConfigurerAdapter { + * public class X509SecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and() * // Example x509() configuration * .x509(); + * return http.build(); * } * } * @@ -803,16 +854,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class X509SecurityConfig extends WebSecurityConfigurerAdapter { + * public class X509SecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests * .antMatchers("/**").hasRole("USER") * ) * .x509(withDefaults()); + * return http.build(); * } * } * @@ -839,19 +891,25 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter { - * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); - * } + * public class RememberMeSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() * .permitAll().and() * // Example Remember Me Configuration * .rememberMe(); + * return http.build(); + * } + * + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -875,10 +933,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RememberMeSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -886,6 +944,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -913,17 +982,27 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") - * .and().withUser("admin").password("password").roles("ADMIN", "USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * UserDetails admin = User.withDefaultPasswordEncoder() + * .username("admin") + * .password("password") + * .roles("ADMIN", "USER") + * .build(); + * return new InMemoryUserDetailsManager(user, admin); * } * } * @@ -935,18 +1014,28 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN") * .antMatchers("/**").hasRole("USER").and().formLogin(); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") - * .and().withUser("admin").password("password").roles("ADMIN", "USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * UserDetails admin = User.withDefaultPasswordEncoder() + * .username("admin") + * .password("password") + * .roles("ADMIN", "USER") + * .build(); + * return new InMemoryUserDetailsManager(user, admin); * } * } * @@ -956,8 +1045,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**") - * .hasRole("ADMIN") + * @Configuration + * @EnableWebSecurity + * public class AuthorizeUrlsSecurityConfig { + * + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + * http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**") + * .hasRole("ADMIN") + * return http.build(); + * } + * } * * @return the {@link ExpressionUrlAuthorizationConfigurer} for further customizations * @throws Exception @@ -982,16 +1080,32 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests * .antMatchers("/**").hasRole("USER") * ) * .formLogin(withDefaults()); + * return http.build(); + * } + * + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * UserDetails admin = User.withDefaultPasswordEncoder() + * .username("admin") + * .password("password") + * .roles("ADMIN", "USER") + * .build(); + * return new InMemoryUserDetailsManager(user, admin); * } * } * @@ -1003,10 +1117,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -1014,6 +1128,22 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1025,16 +1155,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests * .antMatchers("/**").hasRole("USER") * .antMatchers("/admin/**").hasRole("ADMIN") * ); + * return http.build(); * } * } * @@ -1066,15 +1197,31 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeHttpRequests() * .antMatchers("/**").hasRole("USER") * .and() * .formLogin(); + * return http.build(); + * } + * + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * UserDetails admin = User.withDefaultPasswordEncoder() + * .username("admin") + * .password("password") + * .roles("ADMIN", "USER") + * .build(); + * return new InMemoryUserDetailsManager(user, admin); * } * } * @@ -1086,16 +1233,32 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeHttpRequests() * .antMatchers("/admin").hasRole("ADMIN") * .antMatchers("/**").hasRole("USER") * .and() * .formLogin(); + * return http.build(); + * } + * + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * UserDetails admin = User.withDefaultPasswordEncoder() + * .username("admin") + * .password("password") + * .roles("ADMIN", "USER") + * .build(); + * return new InMemoryUserDetailsManager(user, admin); * } * } * @@ -1107,16 +1270,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeHttpRequests() * .antMatchers("/**").hasRole("USER") * .antMatchers("/admin/**").hasRole("ADMIN") * .and() * .formLogin(); + * return http.build(); * } * } * @@ -1144,16 +1308,32 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeHttpRequests((authorizeHttpRequests) -> * authorizeHttpRequests * .antMatchers("/**").hasRole("USER") * ) * .formLogin(withDefaults()); + * return http.build(); + * } + * + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * UserDetails admin = User.withDefaultPasswordEncoder() + * .username("admin") + * .password("password") + * .roles("ADMIN", "USER") + * .build(); + * return new InMemoryUserDetailsManager(user, admin); * } * } * @@ -1165,10 +1345,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeHttpRequests((authorizeHttpRequests) -> * authorizeHttpRequests @@ -1176,6 +1356,22 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1187,16 +1383,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AuthorizeUrlsSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeHttpRequests((authorizeHttpRequests) -> * authorizeHttpRequests * .antMatchers("/**").hasRole("USER") * .antMatchers("/admin/**").hasRole("ADMIN") * ); + * return http.build(); * } * } * @@ -1221,7 +1418,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Custom Configuration * @@ -1243,10 +1440,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RequestCacheDisabledSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RequestCacheDisabledSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -1255,6 +1452,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1271,7 +1469,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Custom Configuration * @@ -1291,10 +1489,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class ExceptionHandlingSecurityConfig extends WebSecurityConfigurerAdapter { + * public class ExceptionHandlingSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -1305,6 +1503,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1322,7 +1521,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class SecurityContextSecurityConfig extends WebSecurityConfigurerAdapter { + * public class SecurityContextSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .securityContext((securityContext) -> * securityContext * .securityContextRepository(SCR) * ); + * return http.build(); * } * } * @@ -1366,7 +1566,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class ServletApiSecurityConfig extends WebSecurityConfigurerAdapter { + * public class ServletApiSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .servletApi((servletApi) -> * servletApi.disable() * ); + * return http.build(); * } * } * @@ -1406,19 +1607,19 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .csrf().disable() * ...; + * return http.build(); * } * } * @@ -1432,18 +1633,18 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { + * public class CsrfSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .csrf((csrf) -> csrf.disable()); + * return http.build(); * } * } * @@ -1460,8 +1661,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter { + * public class LogoutSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() * .and() * // sample logout customization * .logout().deleteCookies("remove").invalidateHttpSession(false) * .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success"); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -1500,8 +1707,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter { + * public class LogoutSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -1531,6 +1738,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1546,8 +1764,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AnonymousSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests() * .antMatchers("/**").hasRole("USER") @@ -1571,11 +1789,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1587,10 +1811,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AnonymousSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests() * .antMatchers("/**").hasRole("USER") @@ -1599,11 +1823,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1616,8 +1846,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AnonymousSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -1643,7 +1873,18 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1655,10 +1896,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { + * public class AnonymousSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -1669,11 +1910,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1702,16 +1949,22 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { + * public class FormLoginSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -1721,10 +1974,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { + * public class FormLoginSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() * .usernameParameter("username") // default is username * .passwordParameter("password") // default is password @@ -1733,11 +1986,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1764,16 +2023,27 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { + * public class FormLoginSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests * .antMatchers("/**").hasRole("USER") * ) * .formLogin(withDefaults()); + * return http.build(); + * } + * + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -1783,10 +2053,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { + * public class FormLoginSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -1800,6 +2070,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1851,19 +2132,18 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration - * public class Saml2LoginConfig { + * @EnableWebSecurity + * public class Saml2LoginSecurityConfig { * - * @EnableWebSecurity - * public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { - * @Override - * protected void configure(HttpSecurity http) throws Exception { - * http - * .authorizeRequests() - * .anyRequest().authenticated() - * .and() - * .saml2Login(); - * } - * } + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + * http + * .authorizeRequests() + * .anyRequest().authenticated() + * .and() + * .saml2Login(); + * return http.build(); + * } * * @Bean * public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { @@ -1884,13 +2164,13 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @@ -1940,19 +2220,19 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration - * public class Saml2LoginConfig { + * @EnableWebSecurity + * public class Saml2LoginSecurityConfig { * - * @EnableWebSecurity - * public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { - * @Override - * protected void configure(HttpSecurity http) throws Exception { - * http - * .authorizeRequests() + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + * http + * .authorizeRequests((authorizeRequests) -> + * authorizeRequests * .anyRequest().authenticated() - * .and() - * .saml2Login(withDefaults()); - * } - * } + * ) + * .saml2Login(withDefaults()); + * return http.build(); + * } * * @Bean * public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { @@ -1973,13 +2253,13 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @@ -2176,19 +2456,18 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration - * public class OAuth2LoginConfig { + * @EnableWebSecurity + * public class OAuth2LoginSecurityConfig { * - * @EnableWebSecurity - * public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { - * @Override - * protected void configure(HttpSecurity http) throws Exception { - * http - * .authorizeRequests() - * .anyRequest().authenticated() - * .and() - * .oauth2Login(); - * } - * } + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + * http + * .authorizeRequests() + * .anyRequest().authenticated() + * .and() + * .oauth2Login(); + * return http.build(); + * } * * @Bean * public ClientRegistrationRepository clientRegistrationRepository() { @@ -2276,20 +2555,19 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration - * public class OAuth2LoginConfig { + * @EnableWebSecurity + * public class OAuth2LoginSecurityConfig { * - * @EnableWebSecurity - * public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { - * @Override - * protected void configure(HttpSecurity http) throws Exception { - * http - * .authorizeRequests((authorizeRequests) -> - * authorizeRequests - * .anyRequest().authenticated() - * ) - * .oauth2Login(withDefaults()); - * } - * } + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + * http + * .authorizeRequests((authorizeRequests) -> + * authorizeRequests + * .anyRequest().authenticated() + * ) + * .oauth2Login(withDefaults()); + * return http.build(); + * } * * @Bean * public ClientRegistrationRepository clientRegistrationRepository() { @@ -2363,16 +2641,18 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * public class OAuth2ClientSecurityConfig { + * + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests * .anyRequest().authenticated() * ) * .oauth2Client(withDefaults()); - * } + * return http.build(); + * } * } * * @param oauth2ClientCustomizer the {@link Customizer} to provide more options for @@ -2416,13 +2696,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { - * - * @Value("${spring.security.oauth2.resourceserver.jwt.key-value}") - * RSAPublicKey key; + * public class OAuth2ResourceServerSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -2435,7 +2712,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter { + * public class ChannelSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() * .and().requiresChannel().anyRequest().requiresSecure(); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -2512,10 +2796,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter { + * public class ChannelSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests @@ -2526,6 +2810,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -2554,16 +2849,22 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter { + * public class HttpBasicSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().httpBasic(); + * return http.build(); * } * - * @Override - * protected void configure(AuthenticationManagerBuilder auth) throws Exception { - * auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -2586,16 +2887,27 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter { + * public class HttpBasicSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests((authorizeRequests) -> * authorizeRequests * .antMatchers("/**").hasRole("USER") * ) * .httpBasic(withDefaults()); + * return http.build(); + * } + * + * @Bean + * public UserDetailsService userDetailsService() { + * UserDetails user = User.withDefaultPasswordEncoder() + * .username("user") + * .password("password") + * .roles("USER") + * .build(); + * return new InMemoryUserDetailsManager(user); * } * } * @@ -2620,10 +2932,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class PasswordManagementSecurityConfig extends WebSecurityConfigurerAdapter { + * public class PasswordManagementSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .authorizeRequests(authorizeRequests -> * authorizeRequests @@ -2633,7 +2945,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @param passwordManagementCustomizer the {@link Customizer} to provide more options @@ -2781,10 +3094,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RequestMatchersSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .requestMatchers() * .antMatchers("/api/**", "/oauth/**") @@ -2793,13 +3106,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -2809,10 +3126,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RequestMatchersSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .requestMatchers() * .antMatchers("/api/**") @@ -2822,13 +3139,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -2838,10 +3159,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RequestMatchersSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .requestMatchers() * .antMatchers("/api/**") @@ -2853,13 +3174,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -2892,10 +3217,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RequestMatchersSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .requestMatchers((requestMatchers) -> * requestMatchers @@ -2906,6 +3231,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -2915,10 +3251,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RequestMatchersSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .requestMatchers((requestMatchers) -> * requestMatchers @@ -2930,6 +3266,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -2939,10 +3286,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder * @Configuration * @EnableWebSecurity - * public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { + * public class RequestMatchersSecurityConfig { * - * @Override - * protected void configure(HttpSecurity http) throws Exception { + * @Bean + * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { * http * .requestMatchers((requestMatchers) -> * requestMatchers @@ -2957,6 +3304,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java index 6903b4afc0..52b21c0af9 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java @@ -41,7 +41,6 @@ import org.springframework.security.config.annotation.web.AbstractRequestMatcher import org.springframework.security.config.annotation.web.WebSecurityConfigurer; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.web.DefaultSecurityFilterChain; @@ -76,8 +75,7 @@ import org.springframework.web.filter.DelegatingFilterProxy; * *

* Customizations to the {@link WebSecurity} can be made by creating a - * {@link WebSecurityConfigurer}, overriding {@link WebSecurityConfigurerAdapter} or - * exposing a {@link WebSecurityCustomizer} bean. + * {@link WebSecurityConfigurer} or exposing a {@link WebSecurityCustomizer} bean. *

* * @author Rob Winch @@ -199,7 +197,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder * Typically this method is invoked automatically within the framework from - * {@link WebSecurityConfigurerAdapter#init(WebSecurity)} + * {@link WebSecurityConfiguration#springSecurityFilterChain()} *

* @param securityFilterChainBuilder the builder to use to create the * {@link SecurityFilterChain} instances @@ -257,7 +255,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder "At least one SecurityBuilder needs to be specified. " - + "Typically this is done by exposing a SecurityFilterChain bean " - + "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. " + + "Typically this is done by exposing a SecurityFilterChain bean. " + "More advanced users can invoke " + WebSecurity.class.getSimpleName() + ".addSecurityFilterChainBuilder directly"); int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size(); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java index 1bd9857bbf..f4d4b00211 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -54,10 +54,9 @@ import org.springframework.util.Assert; /** * Uses a {@link WebSecurity} to create the {@link FilterChainProxy} that performs the web * based security for Spring Security. It then exports the necessary beans. Customizations - * can be made to {@link WebSecurity} by extending {@link WebSecurityConfigurerAdapter} - * and exposing it as a {@link Configuration} or implementing - * {@link WebSecurityConfigurer} and exposing it as a {@link Configuration}. This - * configuration is imported when using {@link EnableWebSecurity}. + * can be made to {@link WebSecurity} by implementing {@link WebSecurityConfigurer} and + * exposing it as a {@link Configuration} or exposing a {@link WebSecurityCustomizer} + * bean. This configuration is imported when using {@link EnableWebSecurity}. * * @author Rob Winch * @author Keesun Baik diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java index 51f3791c7c..575fa78809 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java @@ -25,7 +25,7 @@ import org.springframework.http.MediaType; import org.springframework.security.authentication.AuthenticationDetailsSource; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.PortMapper; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; @@ -305,14 +305,14 @@ public abstract class AbstractAuthenticationFilterConfigurer * Specifies the URL to send users to if login is required. If used with - * {@link WebSecurityConfigurerAdapter} a default login page will be generated when - * this attribute is not specified. + * {@link EnableWebSecurity} a default login page will be generated when this + * attribute is not specified. *

* *

* If a URL is specified or this is not being used in conjunction with - * {@link WebSecurityConfigurerAdapter}, users are required to process the specified - * URL to generate a login page. + * {@link EnableWebSecurity}, users are required to process the specified URL to + * generate a login page. *

*/ protected T loginPage(String loginPage) { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java index 557fd1ee39..2927deb825 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ import java.util.Map; import jakarta.servlet.http.HttpServletRequest; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter; @@ -30,7 +30,7 @@ import org.springframework.security.web.csrf.CsrfToken; /** * Adds a Filter that will generate a login page if one is not specified otherwise when - * using {@link WebSecurityConfigurerAdapter}. + * using {@link EnableWebSecurity}. * *

* By default an @@ -64,7 +64,7 @@ import org.springframework.security.web.csrf.CsrfToken; * * @author Rob Winch * @since 3.2 - * @see WebSecurityConfigurerAdapter + * @see EnableWebSecurity */ public final class DefaultLoginPageConfigurer> extends AbstractHttpConfigurer, H> { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java index 32db2e8f16..861288c2a5 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,7 +18,7 @@ package org.springframework.security.config.annotation.web.configurers; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler; import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler; @@ -84,15 +84,15 @@ public final class FormLoginConfigurer> extends /** *

* Specifies the URL to send users to if login is required. If used with - * {@link WebSecurityConfigurerAdapter} a default login page will be generated when - * this attribute is not specified. + * {@link EnableWebSecurity} a default login page will be generated when this + * attribute is not specified. *

* *

* If a URL is specified or this is not being used in conjunction with - * {@link WebSecurityConfigurerAdapter}, users are required to process the specified - * URL to generate a login page. In general, the login page should create a form that - * submits a request with the following requirements to work with + * {@link EnableWebSecurity}, users are required to process the specified URL to + * generate a login page. In general, the login page should create a form that submits + * a request with the following requirements to work with * {@link UsernamePasswordAuthenticationFilter}: *

* diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java index 0ad06d2274..f5a2437739 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ import jakarta.servlet.http.HttpServletRequest; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.header.HeaderWriter; import org.springframework.security.web.header.HeaderWriterFilter; import org.springframework.security.web.header.writers.CacheControlHeadersWriter; @@ -50,7 +50,7 @@ import org.springframework.util.Assert; /** *

* Adds the Security HTTP headers to the response. Security HTTP headers is activated by - * default when using {@link WebSecurityConfigurerAdapter}'s default constructor. + * default when using {@link EnableWebSecurity}'s default constructor. *

* *

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java index ad4e1c082b..0fd48f181d 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java @@ -22,10 +22,8 @@ import org.springframework.beans.factory.NoSuchBeanDefinitionException; import org.springframework.context.ApplicationContext; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.RememberMeAuthenticationProvider; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; @@ -150,13 +148,10 @@ public final class RememberMeConfigurer> /** * Specifies the {@link UserDetailsService} used to look up the {@link UserDetails} - * when a remember me token is valid. The default is to use the - * {@link UserDetailsService} found by invoking - * {@link HttpSecurity#getSharedObject(Class)} which is set when using - * {@link WebSecurityConfigurerAdapter#configure(AuthenticationManagerBuilder)}. When - * using a {@link org.springframework.security.web.SecurityFilterChain} bean, the - * default is to look for a {@link UserDetailsService} bean. Alternatively, one can - * populate {@link #rememberMeServices(RememberMeServices)}. + * when a remember me token is valid. When using a + * {@link org.springframework.security.web.SecurityFilterChain} bean, the default is + * to look for a {@link UserDetailsService} bean. Alternatively, one can populate + * {@link #rememberMeServices(RememberMeServices)}. * @param userDetailsService the {@link UserDetailsService} to configure * @return the {@link RememberMeConfigurer} for further customization * @see AbstractRememberMeServices diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java index 69b85ecd13..267eaff74e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java @@ -24,13 +24,11 @@ import org.springframework.security.authentication.AuthenticationDetailsSource; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.AuthenticationEntryPoint; -import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; @@ -144,10 +142,7 @@ public final class X509Configurer> /** * Specifies the {@link AuthenticationUserDetailsService} to use. If not specified, - * the shared {@link UserDetailsService} will be used to create a - * {@link UserDetailsByNameServiceWrapper}. If a {@link SecurityFilterChain} bean is - * used instead of the {@link WebSecurityConfigurerAdapter}, then the - * {@link UserDetailsService} bean will be used by default. + * then the {@link UserDetailsService} bean will be used by default. * @param authenticationUserDetailsService the * {@link AuthenticationUserDetailsService} to use * @return the {@link X509Configurer} for further customizations