Remove references to WebSecurityConfigurerAdapter

* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer

Closes gh-11288

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,10 +39,19 @@ import org.springframework.security.config.annotation.web.servlet.configuration.
  * @EnableGlobalAuthentication
  * public class MyGlobalAuthenticationConfiguration {
  *
- * 	@Autowired
+ * 	@Bean
- * 	public void configureGlobal(AuthenticationManagerBuilder auth) {
+ * 	public UserDetailsService userDetailsService() {
- * 		auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+ * 		UserDetails user = User.withDefaultPasswordEncoder()
- * 				.and().withUser("admin").password("password").roles("USER", "ADMIN");
+ * 			.username("user")
+ * 			.password("password")
+ * 			.roles("USER")
+ * 			.build();
+ * 		UserDetails admin = User.withDefaultPasswordEncoder()
+ * 			.username("admin")
+ * 			.password("password")
+ * 			.roles("ADMIN", "USER")
+ * 			.build();
+ * 		return new InMemoryUserDetailsManager(user, admin);
  * 	}
  * }
  * </pre>
@@ -54,15 +63,24 @@ import org.springframework.security.config.annotation.web.servlet.configuration.
  * <pre class="code">
  * &#064;Configuration
  * &#064;EnableWebSecurity
- * public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+ * public class MyWebSecurityConfiguration {
  *
- * 	&#064;Autowired
+ * 	&#064;Bean
- * 	public void configureGlobal(AuthenticationManagerBuilder auth) {
+ * 	public UserDetailsService userDetailsService() {
- * 		auth.inMemoryAuthentication().withUser(&quot;user&quot;).password(&quot;password&quot;).roles(&quot;USER&quot;)
+ * 		UserDetails user = User.withDefaultPasswordEncoder()
- * 				.and().withUser(&quot;admin&quot;).password(&quot;password&quot;).roles(&quot;USER&quot;, &quot;ADMIN&quot;);
+ * 			.username(&quot;user&quot;)
+ * 			.password(&quot;password&quot;)
+ * 			.roles(&quot;USER&quot;)
+ * 			.build();
+ * 		UserDetails admin = User.withDefaultPasswordEncoder()
+ * 			.username(&quot;admin&quot;)
+ * 			.password(&quot;password&quot;)
+ * 			.roles(&quot;ADMIN&quot;, &quot;USER&quot;)
+ * 			.build();
+ * 		return new InMemoryUserDetailsManager(user, admin);
  * 	}
  *
- * 	// Possibly overridden methods ...
+ * 	// Possibly more bean methods ...
  * }
  * </pre>
  *

config/src/main/java/org/springframework/security/config/annotation/web/WebSecurityConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,19 +23,16 @@ import org.springframework.security.config.annotation.SecurityBuilder;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * Allows customization to the {@link WebSecurity}. In most instances users will use
- * {@link EnableWebSecurity} and either create a {@link Configuration} that extends
+ * {@link EnableWebSecurity} and create a {@link Configuration} that exposes a
- * {@link WebSecurityConfigurerAdapter} or expose a {@link SecurityFilterChain} bean. Both
+ * {@link SecurityFilterChain} bean. This will automatically be applied to the
- * will automatically be applied to the {@link WebSecurity} by the
+ * {@link WebSecurity} by the {@link EnableWebSecurity} annotation.
- * {@link EnableWebSecurity} annotation.
  *
  * @author Rob Winch
  * @since 3.2
- * @see WebSecurityConfigurerAdapter
  * @see SecurityFilterChain
  */
 public interface WebSecurityConfigurer<T extends SecurityBuilder<Filter>> extends SecurityConfigurer<Filter, T> {

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -41,7 +41,6 @@ import org.springframework.security.config.annotation.web.AbstractRequestMatcher
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.web.DefaultSecurityFilterChain;
@@ -76,8 +75,7 @@ import org.springframework.web.filter.DelegatingFilterProxy;
  *
  * <p>
  * Customizations to the {@link WebSecurity} can be made by creating a
- * {@link WebSecurityConfigurer}, overriding {@link WebSecurityConfigurerAdapter} or
+ * {@link WebSecurityConfigurer} or exposing a {@link WebSecurityCustomizer} bean.
- * exposing a {@link WebSecurityCustomizer} bean.
  * </p>
  *
  * @author Rob Winch
@@ -199,7 +197,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 	 *
 	 * <p>
 	 * Typically this method is invoked automatically within the framework from
-	 * {@link WebSecurityConfigurerAdapter#init(WebSecurity)}
+	 * {@link WebSecurityConfiguration#springSecurityFilterChain()}
 	 * </p>
 	 * @param securityFilterChainBuilder the builder to use to create the
 	 * {@link SecurityFilterChain} instances
@@ -257,7 +255,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	/**
 	 * Sets the {@link FilterSecurityInterceptor}. This is typically invoked by
-	 * {@link WebSecurityConfigurerAdapter}.
+	 * {@link WebSecurityConfiguration#springSecurityFilterChain()}.
 	 * @param securityInterceptor the {@link FilterSecurityInterceptor} to use
 	 * @return the {@link WebSecurity} for further customizations
 	 * @deprecated Use {@link #privilegeEvaluator(WebInvocationPrivilegeEvaluator)}
@@ -296,8 +294,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 	protected Filter performBuild() throws Exception {
 		Assert.state(!this.securityFilterChainBuilders.isEmpty(),
 				() -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "
-						+ "Typically this is done by exposing a SecurityFilterChain bean "
+						+ "Typically this is done by exposing a SecurityFilterChain bean. "
-						+ "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
 						+ "More advanced users can invoke " + WebSecurity.class.getSimpleName()
 						+ ".addSecurityFilterChainBuilder directly");
 		int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,10 +54,9 @@ import org.springframework.util.Assert;
 /**
  * Uses a {@link WebSecurity} to create the {@link FilterChainProxy} that performs the web
  * based security for Spring Security. It then exports the necessary beans. Customizations
- * can be made to {@link WebSecurity} by extending {@link WebSecurityConfigurerAdapter}
+ * can be made to {@link WebSecurity} by implementing {@link WebSecurityConfigurer} and
- * and exposing it as a {@link Configuration} or implementing
+ * exposing it as a {@link Configuration} or exposing a {@link WebSecurityCustomizer}
- * {@link WebSecurityConfigurer} and exposing it as a {@link Configuration}. This
+ * bean. This configuration is imported when using {@link EnableWebSecurity}.
- * configuration is imported when using {@link EnableWebSecurity}.
  *
  * @author Rob Winch
  * @author Keesun Baik

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java

@@ -25,7 +25,7 @@ import org.springframework.http.MediaType;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.PortMapper;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
@@ -305,14 +305,14 @@ public abstract class AbstractAuthenticationFilterConfigurer<B extends HttpSecur
 	/**
 	 * <p>
 	 * Specifies the URL to send users to if login is required. If used with
-	 * {@link WebSecurityConfigurerAdapter} a default login page will be generated when
+	 * {@link EnableWebSecurity} a default login page will be generated when this
-	 * this attribute is not specified.
+	 * attribute is not specified.
 	 * </p>
 	 *
 	 * <p>
 	 * If a URL is specified or this is not being used in conjunction with
-	 * {@link WebSecurityConfigurerAdapter}, users are required to process the specified
+	 * {@link EnableWebSecurity}, users are required to process the specified URL to
-	 * URL to generate a login page.
+	 * generate a login page.
 	 * </p>
 	 */
 	protected T loginPage(String loginPage) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@ import java.util.Map;
 import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter;
@@ -30,7 +30,7 @@ import org.springframework.security.web.csrf.CsrfToken;
 
 /**
  * Adds a Filter that will generate a login page if one is not specified otherwise when
- * using {@link WebSecurityConfigurerAdapter}.
+ * using {@link EnableWebSecurity}.
  *
  * <p>
  * By default an
@@ -64,7 +64,7 @@ import org.springframework.security.web.csrf.CsrfToken;
  *
  * @author Rob Winch
  * @since 3.2
- * @see WebSecurityConfigurerAdapter
+ * @see EnableWebSecurity
  */
 public final class DefaultLoginPageConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<DefaultLoginPageConfigurer<H>, H> {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,7 +18,7 @@ package org.springframework.security.config.annotation.web.configurers;
 
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler;
@@ -84,15 +84,15 @@ public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
 	/**
 	 * <p>
 	 * Specifies the URL to send users to if login is required. If used with
-	 * {@link WebSecurityConfigurerAdapter} a default login page will be generated when
+	 * {@link EnableWebSecurity} a default login page will be generated when this
-	 * this attribute is not specified.
+	 * attribute is not specified.
 	 * </p>
 	 *
 	 * <p>
 	 * If a URL is specified or this is not being used in conjunction with
-	 * {@link WebSecurityConfigurerAdapter}, users are required to process the specified
+	 * {@link EnableWebSecurity}, users are required to process the specified URL to
-	 * URL to generate a login page. In general, the login page should create a form that
+	 * generate a login page. In general, the login page should create a form that submits
-	 * submits a request with the following requirements to work with
+	 * a request with the following requirements to work with
 	 * {@link UsernamePasswordAuthenticationFilter}:
 	 * </p>
 	 *

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@ import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.security.web.header.writers.CacheControlHeadersWriter;
@@ -50,7 +50,7 @@ import org.springframework.util.Assert;
 /**
  * <p>
  * Adds the Security HTTP headers to the response. Security HTTP headers is activated by
- * default when using {@link WebSecurityConfigurerAdapter}'s default constructor.
+ * default when using {@link EnableWebSecurity}'s default constructor.
  * </p>
  *
  * <p>

config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java

@@ -22,10 +22,8 @@ import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.RememberMeAuthenticationProvider;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@@ -150,13 +148,10 @@ public final class RememberMeConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Specifies the {@link UserDetailsService} used to look up the {@link UserDetails}
-	 * when a remember me token is valid. The default is to use the
+	 * when a remember me token is valid. When using a
-	 * {@link UserDetailsService} found by invoking
+	 * {@link org.springframework.security.web.SecurityFilterChain} bean, the default is
-	 * {@link HttpSecurity#getSharedObject(Class)} which is set when using
+	 * to look for a {@link UserDetailsService} bean. Alternatively, one can populate
-	 * {@link WebSecurityConfigurerAdapter#configure(AuthenticationManagerBuilder)}. When
+	 * {@link #rememberMeServices(RememberMeServices)}.
-	 * using a {@link org.springframework.security.web.SecurityFilterChain} bean, the
-	 * default is to look for a {@link UserDetailsService} bean. Alternatively, one can
-	 * populate {@link #rememberMeServices(RememberMeServices)}.
 	 * @param userDetailsService the {@link UserDetailsService} to configure
 	 * @return the {@link RememberMeConfigurer} for further customization
 	 * @see AbstractRememberMeServices

config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java

@@ -24,13 +24,11 @@ import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
@@ -144,10 +142,7 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Specifies the {@link AuthenticationUserDetailsService} to use. If not specified,
-	 * the shared {@link UserDetailsService} will be used to create a
+	 * then the {@link UserDetailsService} bean will be used by default.
-	 * {@link UserDetailsByNameServiceWrapper}. If a {@link SecurityFilterChain} bean is
-	 * used instead of the {@link WebSecurityConfigurerAdapter}, then the
-	 * {@link UserDetailsService} bean will be used by default.
 	 * @param authenticationUserDetailsService the
 	 * {@link AuthenticationUserDetailsService} to use
 	 * @return the {@link X509Configurer} for further customizations