Anyone who has used
WebSecurityConfigurerAdapter knows that it is very important for Spring Security, it manages the whole Spring Security configuration system. But soon this class will be obsolete, you read it right, this class will be marked by
@Deprecated in version 5.7 and this class will be removed in the future(#10822).
Since this configuration class will be deprecated soon, there must be a transition plan.
I’ve actually written an article before about some of the ways to use the new version. Here it is again, stop learning outdated techniques.
Version required Spring Security 5.4.x and above.
HttpSecurity old and new usage comparison
For related principles go to this article.
Comparison of old and new usage of WebSecurity
WebSecurity.ignoring() to ignore certain URL requests that will be ignored by Spring Security, which means that these URLs will be vulnerable to CSRF, XSS, Clickjacking and other attacks. The following examples are for demonstration purposes only and should not be used in a production environment.
If you need to ignore URLs, consider doing so via the
Comparison of old and new usage of AuthenticationManager
AuthenticationManager configuration is mainly divided into global and local.
The above is a local configuration opened by
WebSecurityConfigurerAdapter. To enable global configuration, you need to override the
authenticationManagerBean() method and mark it as a bean.
Local configuration is implemented via
Global configuration gets rid of the dependency on the
WebSecurityConfigurerAdapter.authenticationManagerBean() method and only needs to define a bean of type
Of course you can also modify the
AuthenticationManagerBuilder by customizing the
GlobalAuthenticationConfigurerAdapter and injecting Spring IoC without limiting the number, but be aware that there are ordering issues. Here is the relevant mind map.