Remove remaining usage of WebSecurityConfigurerAdapter

servlet/spring-boot/java/hello-security-explicit/src/main/java/example/SecurityConfiguration.java

@@ -20,10 +20,10 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
@@ -34,19 +34,20 @@ import static org.springframework.security.config.Customizer.withDefaults;
  */
 @Configuration
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Override
+	@Bean
-	// @formatter:off
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	protected void configure(HttpSecurity http) throws Exception {
+		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().authenticated()
+						.anyRequest().authenticated()
-			)
+				)
-			.httpBasic(withDefaults())
+				.httpBasic(withDefaults())
-			.formLogin(withDefaults());
+				.formLogin(withDefaults());
+		// @formatter:on
+		return http.build();
 	}
-	// @formatter:on
 
 	// @formatter:off
 	@Bean

servlet/spring-boot/java/jwt/login/src/main/java/example/RestConfig.java

@@ -31,7 +31,6 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.User;
@@ -43,6 +42,7 @@ import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * Security configuration for the main application.
@@ -50,7 +50,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
  * @author Josh Cummings
  */
 @Configuration
-public class RestConfig extends WebSecurityConfigurerAdapter {
+public class RestConfig {
 
 	@Value("${jwt.public.key}")
 	RSAPublicKey key;
@@ -58,22 +58,23 @@ public class RestConfig extends WebSecurityConfigurerAdapter {
 	@Value("${jwt.private.key}")
 	RSAPrivateKey priv;
 
-	@Override
+	@Bean
-	protected void configure(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().authenticated()
+						.anyRequest().authenticated()
-			)
+				)
-			.csrf((csrf) -> csrf.ignoringAntMatchers("/token"))
+				.csrf((csrf) -> csrf.ignoringAntMatchers("/token"))
-			.httpBasic(Customizer.withDefaults())
+				.httpBasic(Customizer.withDefaults())
-			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
+				.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
-			.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+				.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-			.exceptionHandling((exceptions) -> exceptions
+				.exceptionHandling((exceptions) -> exceptions
-				.authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
+						.authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
-				.accessDeniedHandler(new BearerTokenAccessDeniedHandler())
+						.accessDeniedHandler(new BearerTokenAccessDeniedHandler())
-			);
+				);
 		// @formatter:on
+		return http.build();
 	}
 
 	@Bean

servlet/spring-boot/java/jwt/login/src/test/java/example/web/HelloControllerTests.java

@@ -16,10 +16,12 @@
 
 package example.web;
 
+import example.RestConfig;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Import;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 
@@ -35,6 +37,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author Josh Cummings
  */
 @WebMvcTest({ HelloController.class, TokenController.class })
+@Import(RestConfig.class)
 public class HelloControllerTests {
 
 	@Autowired

servlet/spring-boot/java/oauth2/login/src/integTest/java/example/OAuth2LoginApplicationTests.java

@@ -44,7 +44,6 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
@@ -63,6 +62,7 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -328,21 +328,22 @@ public class OAuth2LoginApplicationTests {
 	}
 
 	@EnableWebSecurity
-	public static class SecurityTestConfig extends WebSecurityConfigurerAdapter {
+	public static class SecurityTestConfig {
 
-		// @formatter:off
+		@Bean
-		@Override
+		public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
 			http
-				.authorizeHttpRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
-					.anyRequest().authenticated()
+							.anyRequest().authenticated()
-				)
+					)
-				.oauth2Login((oauth2) -> oauth2
+					.oauth2Login((oauth2) -> oauth2
-					.tokenEndpoint((token) -> token.accessTokenResponseClient(mockAccessTokenResponseClient()))
+							.tokenEndpoint((token) -> token.accessTokenResponseClient(mockAccessTokenResponseClient()))
-					.userInfoEndpoint((userInfo) -> userInfo.userService(mockUserService()))
+							.userInfoEndpoint((userInfo) -> userInfo.userService(mockUserService()))
-				);
+					);
+			// @formatter:on
+			return http.build();
 		}
-		// @formatter:on
 
 		private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> mockAccessTokenResponseClient() {
 			OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withToken("access-token-1234")

servlet/spring-boot/java/oauth2/resource-server/hello-security/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java

@@ -20,10 +20,10 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * OAuth resource configuration.
@@ -31,22 +31,23 @@ import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
  * @author Josh Cummings
  */
 @EnableWebSecurity
-public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class OAuth2ResourceServerSecurityConfiguration {
 
 	@Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
 	String jwkSetUri;
 
-	@Override
+	@Bean
-	protected void configure(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-				.antMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read")
+						.antMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read")
-				.antMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write")
+						.antMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write")
-				.anyRequest().authenticated()
+						.anyRequest().authenticated()
-			)
+				)
-			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+				.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
 		// @formatter:on
+		return http.build();
 	}
 
 	@Bean

servlet/spring-boot/java/oauth2/resource-server/hello-security/src/test/java/example/OAuth2ResourceServerControllerTests.java

@@ -19,6 +19,7 @@ import org.junit.jupiter.api.Test;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.test.web.servlet.MockMvc;
 
@@ -36,6 +37,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  *
  */
 @WebMvcTest(OAuth2ResourceServerController.class)
+@Import(OAuth2ResourceServerSecurityConfiguration.class)
 public class OAuth2ResourceServerControllerTests {
 
 	@Autowired

servlet/spring-boot/java/oauth2/resource-server/jwe/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java

@@ -42,9 +42,9 @@ import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
@@ -54,7 +54,7 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Josh Cummings
  */
 @EnableWebSecurity
-public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class OAuth2ResourceServerSecurityConfiguration {
 
 	private final JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256;
 
@@ -68,16 +68,17 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig
 	@Value("${sample.jwe-key-value}")
 	RSAPrivateKey key;
 
-	@Override
+	@Bean
-	protected void configure(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-				.antMatchers("/message/**").hasAuthority("SCOPE_message:read")
+						.antMatchers("/message/**").hasAuthority("SCOPE_message:read")
-				.anyRequest().authenticated()
+						.anyRequest().authenticated()
-			)
+				)
-			.oauth2ResourceServer((oauth2) -> oauth2.jwt(withDefaults()));
+				.oauth2ResourceServer((oauth2) -> oauth2.jwt(withDefaults()));
 		// @formatter:on
+		return http.build();
 	}
 
 	@Bean

servlet/spring-boot/java/oauth2/resource-server/opaque/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java

@@ -16,10 +16,11 @@
 package example;
 
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * OAuth2 Security Configuration.
@@ -27,7 +28,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
  * @author Josh Cummings
  */
 @EnableWebSecurity
-public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class OAuth2ResourceServerSecurityConfiguration {
 
 	@Value("${spring.security.oauth2.resourceserver.opaque.introspection-uri}")
 	String introspectionUri;
@@ -38,22 +39,23 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig
 	@Value("${spring.security.oauth2.resourceserver.opaque.introspection-client-secret}")
 	String clientSecret;
 
-	@Override
+	@Bean
-	protected void configure(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-				.mvcMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read")
+						.mvcMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read")
-				.mvcMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write")
+						.mvcMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write")
-				.anyRequest().authenticated()
+						.anyRequest().authenticated()
-			)
-			.oauth2ResourceServer((oauth2) -> oauth2
-				.opaqueToken((opaque) -> opaque
-					.introspectionUri(this.introspectionUri)
-					.introspectionClientCredentials(this.clientId, this.clientSecret)
 				)
-			);
+				.oauth2ResourceServer((oauth2) -> oauth2
+						.opaqueToken((opaque) -> opaque
+								.introspectionUri(this.introspectionUri)
+								.introspectionClientCredentials(this.clientId, this.clientSecret)
+						)
+				);
 		// @formatter:on
+		return http.build();
 	}
 
 }

servlet/spring-boot/java/oauth2/resource-server/opaque/src/test/java/example/OAuth2ResourceServerControllerTests.java

@@ -19,6 +19,7 @@ import org.junit.jupiter.api.Test;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
 import org.springframework.test.web.servlet.MockMvc;
@@ -36,6 +37,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @since 5.3
  */
 @WebMvcTest(OAuth2ResourceServerController.class)
+@Import(OAuth2ResourceServerSecurityConfiguration.class)
 public class OAuth2ResourceServerControllerTests {
 
 	@Autowired

servlet/spring-boot/java/oauth2/webclient/src/main/java/example/SecurityConfiguration.java

@@ -18,11 +18,11 @@ package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
@@ -32,20 +32,21 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Joe Grandja
  */
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Override
+	@Bean
-	protected void configure(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-				.mvcMatchers("/", "/public/**").permitAll()
+						.mvcMatchers("/", "/public/**").permitAll()
-				.anyRequest().authenticated()
+						.anyRequest().authenticated()
-			)
+				)
-			.formLogin(withDefaults())
+				.formLogin(withDefaults())
-			.oauth2Login(withDefaults())
+				.oauth2Login(withDefaults())
-			.oauth2Client(withDefaults());
+				.oauth2Client(withDefaults());
 		// @formatter:on
+		return http.build();
 	}
 
 	@Bean

servlet/spring-boot/kotlin/hello-security/src/main/kotlin/org/springframework/security/samples/config/SecurityConfig.kt

@@ -19,32 +19,34 @@ package org.springframework.security.samples.config
 import org.springframework.context.annotation.Bean
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 import org.springframework.security.config.web.servlet.invoke
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
+import org.springframework.security.web.SecurityFilterChain
 
 /**
  * @author Eleftheria Stein
  */
 @EnableWebSecurity
-class SecurityConfig : WebSecurityConfigurerAdapter() {
+class SecurityConfig {
 
-    override fun configure(http: HttpSecurity) {
+    @Bean
-       http {
+    fun filterChain(http: HttpSecurity): SecurityFilterChain {
+        http {
             authorizeRequests {
                 authorize("/css/**", permitAll)
                 authorize("/user/**", hasAuthority("ROLE_USER"))
             }
-           formLogin {
+            formLogin {
-               loginPage = "/log-in"
+                loginPage = "/log-in"
-           }
+            }
         }
+        return http.build()
     }
 
     @Bean
-    public override fun userDetailsService(): UserDetailsService {
+    fun userDetailsService(): UserDetailsService {
         val userDetails = User.withDefaultPasswordEncoder()
                 .username("user")
                 .password("password")