Anyone who has used WebSecurityConfigurerAdapter knows that it is very important for Spring Security, it manages the whole Spring Security configuration system. But soon this class will be obsolete, you read it right, this class will be marked by @Deprecated in version 5.7 and this class will be removed in the future(#10822).

Deprecate Websecurityconfigureradapter

Since this configuration class will be deprecated soon, there must be a transition plan.

I’ve actually written an article before about some of the ways to use the new version. Here it is again, stop learning outdated techniques.

Version required Spring Security 5.4.x and above.

HttpSecurity old and new usage comparison

Old usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
@Configuration
static class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/**")
            .authorizeRequests(authorize -> authorize
                    .anyRequest().authenticated()
            );
    }
}

New Usage:

1
2
3
4
5
6
7
8
9
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
            .antMatcher("/**")
            .authorizeRequests(authorize -> authorize
                    .anyRequest().authenticated()
            )
            .build();
}

For related principles go to this article.

Comparison of old and new usage of WebSecurity

Use WebSecurity.ignoring() to ignore certain URL requests that will be ignored by Spring Security, which means that these URLs will be vulnerable to CSRF, XSS, Clickjacking and other attacks. The following examples are for demonstration purposes only and should not be used in a production environment.

Old usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) {
        // 仅仅作为演示
        web.ignoring().antMatchers("/ignore1", "/ignore2");
    }

}

New Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
@Configuration
public class SecurityConfiguration {

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        // 仅仅作为演示
        return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
    }

}

If you need to ignore URLs, consider doing so via the permitAll method of HttpSecurity.authorizeHttpRequests.

Comparison of old and new usage of AuthenticationManager

The AuthenticationManager configuration is mainly divided into global and local.

Old usage:

1
2
3
4
5
6
7
8
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication();
    }
}

The above is a local configuration opened by WebSecurityConfigurerAdapter. To enable global configuration, you need to override the authenticationManagerBean() method and mark it as a bean.

1
2
3
4
5
@Bean(name name="myAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

New Usage:

Local configuration is implemented via HttpSecurity.authenticationManager.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests((authz) -> authz
                .anyRequest().authenticated()
            )
            .httpBasic(withDefaults())
            .authenticationManager(new CustomAuthenticationManager());
    }

}

Global configuration gets rid of the dependency on the WebSecurityConfigurerAdapter.authenticationManagerBean() method and only needs to define a bean of type AuthenticationManager.

1
2
3
4
5
6
7
8
9
@Bean
AuthenticationManager ldapAuthenticationManager(
        BaseLdapPathContextSource contextSource) {
    LdapBindAuthenticationManagerFactory factory = 
        new LdapBindAuthenticationManagerFactory(contextSource);
    factory.setUserDnPatterns("uid={0},ou=people");
    factory.setUserDetailsContextMapper(new PersonContextMapper());
    return factory.createAuthenticationManager();
}

Of course you can also modify the AuthenticationManagerBuilder by customizing the GlobalAuthenticationConfigurerAdapter and injecting Spring IoC without limiting the number, but be aware that there are ordering issues. Here is the relevant mind map.

GlobalAuthenticationConfigurerAdapter

Reference https://mp.weixin.qq.com/s/fJsPZRa7p_IrtKo3xJQPDw