Java-29290 :- Upgrade spring-security-core-2 to use Spring Boot 3 (#15491)

* Made changes to upgrade to Spring Boot 3 from Boot 2

* JAVA-29290 :- Changed to use @Import for initializing the config.

* JAVA-29290 :- Made changes to use authorizeHttpRequests as authorizeRequests is deprecated

* Minor formatting fixes

* JAVA-29290 : Formatting changes

spring-security-modules/spring-security-core-2/pom.xml

@@ -10,12 +10,13 @@
 
     <parent>
         <groupId>com.baeldung</groupId>
-        <artifactId>spring-security-modules</artifactId>
+        <artifactId>parent-boot-3</artifactId>
         <version>0.0.1-SNAPSHOT</version>
+        <relativePath>../../parent-boot-3</relativePath>
     </parent>
 
     <properties>
-        <spring.security.version>5.8.4</spring.security.version>
+        <start-class>com.baeldung.authresolver.AuthResolverApplication</start-class>
     </properties>
 
     <dependencies>
@@ -55,12 +56,10 @@
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-web</artifactId>
-            <version>${spring.security.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>
-            <version>${spring.security.version}</version>
         </dependency>
     </dependencies>
 

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/CustomWebSecurityConfigurer.java

@@ -1,7 +1,8 @@
 package com.baeldung.authresolver;
 
 import java.util.Collections;
-import javax.servlet.http.HttpServletRequest;
+
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingConfigurer.java

@@ -1,11 +1,11 @@
 package com.baeldung.dsl;
 
-import java.util.List;
-
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
+
+import java.util.List;
 
 public class ClientErrorLoggingConfigurer extends AbstractHttpConfigurer<ClientErrorLoggingConfigurer, HttpSecurity> {
 
@@ -26,7 +26,7 @@ public class ClientErrorLoggingConfigurer extends AbstractHttpConfigurer<ClientE
 
     @Override
     public void configure(HttpSecurity http) throws Exception {
-        http.addFilterAfter(new ClientErrorLoggingFilter(errorCodes), FilterSecurityInterceptor.class);
+        http.addFilterAfter(new ClientErrorLoggingFilter(errorCodes),  AuthorizationFilter.class);
     }
 
 }

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingFilter.java

@@ -1,14 +1,10 @@
 package com.baeldung.dsl;
 
-import java.io.IOException;
+import jakarta.servlet.FilterChain;
-import java.util.List;
+import jakarta.servlet.ServletException;
-
+import jakarta.servlet.ServletRequest;
-import javax.servlet.FilterChain;
+import jakarta.servlet.ServletResponse;
-import javax.servlet.ServletException;
+import jakarta.servlet.http.HttpServletResponse;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.springframework.http.HttpStatus;
@@ -16,6 +12,9 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.filter.GenericFilterBean;
 
+import java.io.IOException;
+import java.util.List;
+
 public class ClientErrorLoggingFilter extends GenericFilterBean {
 
     private static final Logger logger = LogManager.getLogger(ClientErrorLoggingFilter.class);

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/SecurityConfig.java

@@ -2,6 +2,7 @@ package com.baeldung.dsl;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -15,14 +16,12 @@ public class SecurityConfig {
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.authorizeRequests()
+        http.authorizeHttpRequests(auth -> auth
-            .antMatchers("/admin*")
+            .requestMatchers("/admin*")
             .hasAnyRole("ADMIN")
             .anyRequest()
-            .authenticated()
+            .authenticated())
-            .and()
+            .formLogin(Customizer.withDefaults())
-            .formLogin()
-            .and()
             .apply(clientErrorLogging());
         return http.build();
     }

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAccessDeniedHandler.java

@@ -1,13 +1,12 @@
 package com.baeldung.exceptionhandler.security;
 
-import java.io.IOException;
+import jakarta.servlet.http.HttpServletRequest;
-
+import jakarta.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
 
+import java.io.IOException;
+
 public class CustomAccessDeniedHandler implements AccessDeniedHandler {
 
     @Override

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationFailureHandler.java

@@ -1,13 +1,12 @@
 package com.baeldung.exceptionhandler.security;
 
-import java.io.IOException;
+import jakarta.servlet.http.HttpServletRequest;
-
+import jakarta.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 
+import java.io.IOException;
+
 public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
 
     @Override

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationSuccessHandler.java

@@ -1,17 +1,16 @@
 package com.baeldung.exceptionhandler.security;
 
-import java.io.IOException;
+import jakarta.servlet.ServletException;
-
+import jakarta.servlet.http.HttpServletRequest;
-import javax.servlet.ServletException;
+import jakarta.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpSession;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 
+import java.io.IOException;
+
 public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
 
     @Override

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/SecurityConfig.java

@@ -1,8 +1,10 @@
 package com.baeldung.exceptionhandler.security;
 
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -41,30 +43,23 @@ public class SecurityConfig {
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.csrf()
+        http.csrf(AbstractHttpConfigurer::disable)
-            .disable()
+            .httpBasic(AbstractHttpConfigurer::disable)
-            .httpBasic()
+            .authorizeHttpRequests(auth -> auth
-            .disable()
+                .requestMatchers("/login")
-            .authorizeRequests()
-            .antMatchers("/login")
                 .permitAll()
-            .antMatchers("/customError")
+                .requestMatchers("/customError")
                 .permitAll()
-            .antMatchers("/access-denied")
+                .requestMatchers("/access-denied")
                 .permitAll()
-            .antMatchers("/secured")
+                .requestMatchers("/secured")
                 .hasRole("ADMIN")
                 .anyRequest()
-            .authenticated()
+                .authenticated())
-            .and()
+            .formLogin(form -> form.failureHandler(authenticationFailureHandler())
-            .formLogin()
+                .successHandler(authenticationSuccessHandler()))
-            .failureHandler(authenticationFailureHandler())
+            .exceptionHandling(ex -> ex.accessDeniedHandler(accessDeniedHandler()))
-            .successHandler(authenticationSuccessHandler())
+            .logout(Customizer.withDefaults());
-            .and()
-            .exceptionHandling()
-            .accessDeniedHandler(accessDeniedHandler())
-            .and()
-            .logout();
         return http.build();
     }
 

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomAuthenticationEntryPoint.java

@@ -3,10 +3,9 @@ package com.baeldung.global.exceptionhandler.security;
 import java.io.IOException;
 import java.io.OutputStream;
 
-import javax.servlet.ServletException;
+import jakarta.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
-
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.AuthenticationException;

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomSecurityConfig.java

@@ -4,6 +4,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
@@ -34,17 +35,13 @@ public class CustomSecurityConfig {
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.requestMatchers()
+        http.authorizeHttpRequests(auth -> auth
-            .antMatchers("/login")
+                .requestMatchers("/login")
-            .and()
+                .authenticated()
-            .authorizeRequests()
                 .anyRequest()
-            .hasRole("ADMIN")
+                .hasRole("ADMIN"))
-            .and()
+                .httpBasic(basic -> basic.authenticationEntryPoint(authEntryPoint))
-            .httpBasic()
+                .exceptionHandling(Customizer.withDefaults());
-            .and()
-            .exceptionHandling()
-            .authenticationEntryPoint(authEntryPoint);
         return http.build();
     }
 

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedAuthenticationEntryPoint.java

@@ -1,11 +1,8 @@
 package com.baeldung.global.exceptionhandler.security;
 
-import java.io.IOException;
+import jakarta.servlet.ServletException;
-
+import jakarta.servlet.http.HttpServletRequest;
-import javax.servlet.ServletException;
+import jakarta.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.core.AuthenticationException;
@@ -13,6 +10,8 @@ import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.HandlerExceptionResolver;
 
+import java.io.IOException;
+
 @Component("delegatedAuthenticationEntryPoint")
 public class DelegatedAuthenticationEntryPoint implements AuthenticationEntryPoint {
 

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedSecurityConfig.java

@@ -5,6 +5,7 @@ import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
@@ -24,17 +25,11 @@ public class DelegatedSecurityConfig {
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.requestMatchers()
+        http.authorizeHttpRequests(auth -> auth
-            .antMatchers("/login-handler")
+                .requestMatchers("/login-handler")
-            .and()
+                .hasRole("ADMIN"))
-            .authorizeRequests()
+            .httpBasic(basic -> basic.authenticationEntryPoint(authEntryPoint))
-            .anyRequest()
+            .exceptionHandling(Customizer.withDefaults());
-            .hasRole("ADMIN")
-            .and()
-            .httpBasic()
-            .and()
-            .exceptionHandling()
-            .authenticationEntryPoint(authEntryPoint);
         return http.build();
     }
 

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/HttpSecurityConfig.java

@@ -2,8 +2,10 @@ package com.baeldung.httpsecurityvswebsecurity;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 
 @Configuration
@@ -13,18 +15,12 @@ public class HttpSecurityConfig {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         // Given: HttpSecurity configured
-
+        http.authorizeHttpRequests(auth -> auth
-        http.authorizeRequests()
+          .requestMatchers("/public/**").permitAll()
-          .antMatchers("/public/**").permitAll()
+          .requestMatchers("/admin/**").hasRole("ADMIN")
-          .antMatchers("/admin/**").hasRole("ADMIN")
+          .anyRequest().authenticated())
-          .anyRequest().authenticated()
+          .formLogin(form -> form.loginPage("/login").permitAll())
-          .and()
+          .logout(LogoutConfigurer::permitAll);
-          .formLogin()
-          .loginPage("/login")
-          .permitAll()
-          .and()
-          .logout()
-          .permitAll();
 
         // When: Accessing specific URLs
         // Then: Access is granted based on defined rules

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/SecurityConfiguration.java

@@ -26,7 +26,7 @@ public class SecurityConfiguration {
 
     @Bean
     public HttpFirewall allowHttpMethod() {
-        List<String> allowedMethods = new ArrayList<String>();
+        List<String> allowedMethods = new ArrayList<>();
         allowedMethods.add("GET");
         allowedMethods.add("POST");
         StrictHttpFirewall firewall = new StrictHttpFirewall();
@@ -41,7 +41,7 @@ public class SecurityConfiguration {
 
     @Bean
     public WebSecurityCustomizer ignoringCustomizer() {
-        return (web) -> web.ignoring().antMatchers("/resources/**", "/static/**");
+        return (web) -> web.ignoring().requestMatchers("/resources/**", "/static/**");
     }
 
     @Bean
@@ -65,7 +65,8 @@ public class SecurityConfiguration {
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http.authorizeHttpRequests((authorize) -> authorize.antMatchers("/admin/**")
+        http.authorizeHttpRequests((authorize) ->
+                authorize.requestMatchers("/admin/**")
                     .hasRole("ADMIN")
                     .anyRequest()
                     .permitAll())

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/WebSecurityConfig.java

@@ -2,6 +2,7 @@ package com.baeldung.httpsecurityvswebsecurity;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -25,19 +26,21 @@ public class WebSecurityConfig {
   @Bean
   public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
-        AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
+    AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(
+        AuthenticationManagerBuilder.class);
     authenticationManagerBuilder.userDetailsService(userDetailsService);
     AuthenticationManager authenticationManager = authenticationManagerBuilder.build();
+    http.setSharedObject(AuthenticationManager.class, authenticationManager);
 
-        http.authorizeRequests()
+    http.authorizeHttpRequests(auth -> auth
-            .antMatchers("/")
+            .requestMatchers("/")
             .permitAll()
             .anyRequest()
-            .authenticated()
+            .authenticated())
-            .and()
+        .formLogin(Customizer.withDefaults())
-            .formLogin().and()
+        .sessionManagement((session) -> session
-            .authenticationManager(authenticationManager)
+            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+        );
 
     return http.build();
   }

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/xss/SecurityConf.java

@@ -2,9 +2,11 @@ package com.baeldung.xss;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 
 @Configuration
 public class SecurityConf {
@@ -13,15 +15,17 @@ public class SecurityConf {
     public WebSecurityCustomizer webSecurityCustomizer() {
         // Ignoring here is only for this example. Normally people would apply their own authentication/authorization policies
         return (web) -> web.ignoring()
-            .antMatchers("/**");
+            .requestMatchers("/**");
     }
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.headers()
+        http.headers(headers ->
-            .xssProtection()
+            headers.xssProtection(
-            .and()
+                xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK)
-            .contentSecurityPolicy("script-src 'self'");
+            ).contentSecurityPolicy(
+                cps -> cps.policyDirectives("script-src 'self'")
+            ));
         return http.build();
     }
 }

spring-security-modules/spring-security-core-2/src/test/java/com/baeldung/exceptionhandler/SecurityConfigUnitTest.java

@@ -5,10 +5,17 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import com.baeldung.exceptionhandler.security.CustomAccessDeniedHandler;
+import com.baeldung.exceptionhandler.security.CustomAuthenticationFailureHandler;
+import com.baeldung.global.exceptionhandler.controller.LoginController;
+import com.baeldung.global.exceptionhandler.security.CustomAuthenticationEntryPoint;
+import com.baeldung.global.exceptionhandler.security.DelegatedAuthenticationEntryPoint;
 import org.junit.jupiter.api.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
@@ -17,6 +24,7 @@ import com.baeldung.exceptionhandler.security.SecurityConfig;
 
 @RunWith(SpringRunner.class)
 @WebMvcTest(SecurityConfig.class)
+@Import(SecurityConfig.class)
 class SecurityConfigUnitTest {
     @Autowired
     private MockMvc mvc;