JAVA-29307 Upgrade spring-security-web-boot-4 (#15631)

* JAVA-29307 Upgrade spring-security-web-boot-4 * JAVA-29307 Changes after review --------- Co-authored-by: timis1 <noreplay@yahoo.com>
2024-01-15 22:13:28 +02:00 · 2024-01-15 22:13:28 +02:00 · 4e46f6626a
parent 75422c4bb8
commit 4e46f6626a
6 changed files with 43 additions and 52 deletions
--- a/spring-security-modules/spring-security-web-boot-4/pom.xml
+++ b/spring-security-modules/spring-security-web-boot-4/pom.xml
@ -11,7 +11,8 @@

    <parent>
        <groupId>com.baeldung</groupId>
-        <artifactId>spring-security-modules</artifactId>
+        <artifactId>parent-boot-3</artifactId>
+        <relativePath>../../parent-boot-3</relativePath>
        <version>0.0.1-SNAPSHOT</version>
    </parent>

@ -36,4 +37,8 @@
        </dependency>
    </dependencies>

+    <properties>
+        <start-class>com.baeldung.enablemethodsecurity.EnableMethodSecurityApplication</start-class>
+    </properties>
+
 </project>
--- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java
+++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java
@ -4,12 +4,12 @@ import org.springframework.http.MediaType;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.filter.GenericFilterBean;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;

--- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java
+++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java
@ -3,7 +3,8 @@ package com.baeldung.apikeyauthentication.configuration;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
-import javax.servlet.http.HttpServletRequest;
+
+import jakarta.servlet.http.HttpServletRequest;

 public class AuthenticationService {

--- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/SecurityConfig.java
+++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/SecurityConfig.java
@ -2,8 +2,10 @@ package com.baeldung.apikeyauthentication.configuration;

 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@ -14,19 +16,11 @@ public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.csrf()
-          .disable()
-          .authorizeRequests()
-          .antMatchers("/**")
-          .authenticated()
-          .and()
-          .httpBasic()
-          .and()
-          .sessionManagement()
-          .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-          .and()
-          .addFilterBefore(new AuthenticationFilter(),
-            UsernamePasswordAuthenticationFilter.class);
+        http.csrf(AbstractHttpConfigurer::disable)
+          .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry.requestMatchers("/**").authenticated())
+          .httpBasic(Customizer.withDefaults())
+          .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+          .addFilterBefore(new AuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }
--- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/enablemethodsecurity/configuration/SecurityConfig.java
+++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/enablemethodsecurity/configuration/SecurityConfig.java
@ -15,6 +15,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@ -55,14 +56,9 @@ public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.csrf()
-          .disable()
-          .authorizeRequests()
-          .anyRequest()
-          .authenticated()
-          .and()
-          .sessionManagement()
-          .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+        http.csrf(AbstractHttpConfigurer::disable)
+          .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry.anyRequest().authenticated())
+          .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

        return http.build();
    }
--- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/securityfilterchain/configuration/SecurityConfig.java
+++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/securityfilterchain/configuration/SecurityConfig.java
@ -2,16 +2,20 @@ package com.baeldung.securityfilterchain.configuration;

 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;

+@Configuration
@EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
+@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
 public class SecurityConfig {

    @Value("${spring.security.debug:false}")
@ -19,32 +23,23 @@ public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.csrf()
-          .disable()
-          .authorizeRequests()
-          .antMatchers(HttpMethod.DELETE)
-          .hasRole("ADMIN")
-          .antMatchers("/admin/**")
-          .hasAnyRole("ADMIN")
-          .antMatchers("/user/**")
-          .hasAnyRole("USER", "ADMIN")
-          .antMatchers("/login/**")
-          .permitAll()
-          .anyRequest()
-          .authenticated()
-          .and()
-          .httpBasic()
-          .and()
-          .sessionManagement()
-          .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+        http.csrf(AbstractHttpConfigurer::disable)
+          .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
+                  authorizationManagerRequestMatcherRegistry.requestMatchers(HttpMethod.DELETE).hasRole("ADMIN")
+                          .requestMatchers("/admin/**").hasAnyRole("ADMIN")
+                          .requestMatchers("/user/**").hasAnyRole("USER", "ADMIN")
+                          .requestMatchers("/login/**").permitAll()
+                          .anyRequest().authenticated())
+          .httpBasic(Customizer.withDefaults())
+          .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

        return http.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
-        return (web) -> web.debug(securityDebug)
-          .ignoring()
-          .antMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico");
+        return web -> web.debug(securityDebug)
+                .ignoring()
+                .requestMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico");
    }
 }