diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java index aa95ed89a5..b81d91421b 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,48 +26,56 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication; import org.springframework.security.config.annotation.web.WebSecurityConfigurer; +import org.springframework.security.web.SecurityFilterChain; /** * Add this annotation to an {@code @Configuration} class to have the Spring Security - * configuration defined in any {@link WebSecurityConfigurer} or more likely by extending - * the {@link WebSecurityConfigurerAdapter} base class and overriding individual methods: + * configuration defined in any {@link WebSecurityConfigurer} or more likely by exposing a + * {@link SecurityFilterChain} bean: * * 
  * @Configuration
  * @EnableWebSecurity
- * public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+ * public class MyWebSecurityConfiguration {
  *
- * 	@Override
- * 	public void configure(WebSecurity web) throws Exception {
- * 		web.ignoring()
+ * 	@Bean
+ * 	public WebSecurityCustomizer webSecurityCustomizer() {
+ * 		return (web) -> web.ignoring()
  * 		// Spring Security should completely ignore URLs starting with /resources/
  * 				.antMatchers("/resources/**");
  * 	}
  *
- * 	@Override
- * 	protected void configure(HttpSecurity http) throws Exception {
+ * 	@Bean
+ * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
  * 		http.authorizeRequests().antMatchers("/public/**").permitAll().anyRequest()
  * 				.hasRole("USER").and()
  * 				// Possibly more configuration ...
  * 				.formLogin() // enable form based log in
  * 				// set permitAll for all URLs associated with Form Login
  * 				.permitAll();
+ * 		return http.build();
  * 	}
  *
- * 	@Override
- * 	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
- * 		auth
- * 		// enable in memory based authentication with a user named "user" and "admin"
- * 		.inMemoryAuthentication().withUser("user").password("password").roles("USER")
- * 				.and().withUser("admin").password("password").roles("USER", "ADMIN");
+ * 	@Bean
+ * 	public UserDetailsService userDetailsService() {
+ * 		UserDetails user = User.withDefaultPasswordEncoder()
+ * 			.username("user")
+ * 			.password("password")
+ * 			.roles("USER")
+ * 			.build();
+ * 		UserDetails admin = User.withDefaultPasswordEncoder()
+ * 			.username("admin")
+ * 			.password("password")
+ * 			.roles("ADMIN", "USER")
+ * 			.build();
+ * 		return new InMemoryUserDetailsManager(user, admin);
  * 	}
  *
- * 	// Possibly more overridden methods ...
+ * 	// Possibly more bean methods ...
  * }
  *
* * @see WebSecurityConfigurer - * @see WebSecurityConfigurerAdapter * * @author Rob Winch * @since 3.2