JAVA-14867 Update spring-security-web-login module under spring-security-modules to remove usage of deprecated WebSecurityConfigurerAdapter (#12852)

2022-10-11 21:12:39 +05:30 · 2022-10-11 21:12:39 +05:30 · 7cffc487ea
parent c4052100a0
commit 7cffc487ea
5 changed files with 175 additions and 123 deletions
--- a/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/loginextrafieldscustom/SecurityConfig.java
+++ b/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/loginextrafieldscustom/SecurityConfig.java
@ -3,19 +3,20 @@ package com.baeldung.loginextrafieldscustom;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableWebSecurity
@PropertySource("classpath:/application-extrafields.properties")
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig extends AbstractHttpConfigurer<SecurityConfig, HttpSecurity> {
    @Autowired
    private CustomUserDetailsService userDetailsService;
@ -24,23 +25,36 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private PasswordEncoder passwordEncoder;
    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+    public void configure(HttpSecurity http) throws Exception {
-        
+        AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
-        http
+        http.addFilterBefore(authenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
            .addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
            .authorizeRequests()
                .antMatchers("/css/**", "/index").permitAll()
                .antMatchers("/user/**").authenticated()
            .and()
            .formLogin().loginPage("/login")
            .and()
            .logout()
            .logoutUrl("/logout");
    }
-    public CustomAuthenticationFilter authenticationFilter() throws Exception {
+    public static SecurityConfig securityConfig() {
        return new SecurityConfig();
    }
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/css/**", "/index")
            .permitAll()
            .antMatchers("/user/**")
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .and()
            .logout()
            .logoutUrl("/logout")
            .and()
            .apply(securityConfig());
        return http.build();
    }
    public CustomAuthenticationFilter authenticationFilter(AuthenticationManager authenticationManager) throws Exception {
        CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
-        filter.setAuthenticationManager(authenticationManagerBean());
+        filter.setAuthenticationManager(authenticationManager);
        filter.setAuthenticationFailureHandler(failureHandler());
        return filter;
    }
--- a/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/loginextrafieldssimple/SecurityConfig.java
+++ b/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/loginextrafieldssimple/SecurityConfig.java
@ -3,21 +3,22 @@ package com.baeldung.loginextrafieldssimple;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableWebSecurity
@PropertySource("classpath:/application-extrafields.properties")
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig extends AbstractHttpConfigurer<SecurityConfig, HttpSecurity> {
    @Autowired
    private UserDetailsService userDetailsService;
@ -26,23 +27,36 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private PasswordEncoder passwordEncoder;
    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+    public void configure(HttpSecurity http) throws Exception {
-        
+        AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
-        http
+        http.addFilterBefore(authenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
            .addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
            .authorizeRequests()
                .antMatchers("/css/**", "/index").permitAll()
                .antMatchers("/user/**").authenticated()
            .and()
            .formLogin().loginPage("/login")
            .and()
            .logout()
            .logoutUrl("/logout");
    }
-    public SimpleAuthenticationFilter authenticationFilter() throws Exception {
+    public static SecurityConfig securityConfig() {
        return new SecurityConfig();
    }
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/css/**", "/index")
            .permitAll()
            .antMatchers("/user/**")
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .and()
            .logout()
            .logoutUrl("/logout")
            .and()
            .apply(securityConfig());
        return http.getOrBuild();
    }
    public SimpleAuthenticationFilter authenticationFilter(AuthenticationManager authenticationManager) throws Exception {
        SimpleAuthenticationFilter filter = new SimpleAuthenticationFilter();
-        filter.setAuthenticationManager(authenticationManagerBean());
+        filter.setAuthenticationManager(authenticationManager);
        filter.setAuthenticationFailureHandler(failureHandler());
        return filter;
    }
--- a/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/security/config/SecSecurityConfig.java
+++ b/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/security/config/SecSecurityConfig.java
@ -3,12 +3,14 @@ package com.baeldung.security.config;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
@ -21,46 +23,54 @@ import com.baeldung.security.CustomLogoutSuccessHandler;
 // @ImportResource({ "classpath:webSecurityConfig.xml" })
@EnableWebSecurity
@Profile("!https")
-public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecSecurityConfig {
-    @Override
+    @Bean
-    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
+    public InMemoryUserDetailsManager userDetailsService() {
-        // @formatter:off
+        UserDetails user1 = User.withUsername("user1")
-        auth.inMemoryAuthentication()
+            .password(passwordEncoder().encode("user1Pass"))
-                .withUser("user1").password(passwordEncoder().encode("user1Pass")).roles("USER")
+            .roles("USER")
-                .and()
+            .build();
-                .withUser("user2").password(passwordEncoder().encode("user2Pass")).roles("USER")
+        UserDetails user2 = User.withUsername("user2")
-                .and()
+            .password(passwordEncoder().encode("user2Pass"))
-                .withUser("admin").password(passwordEncoder().encode("adminPass")).roles("ADMIN");
+            .roles("USER")
-        // @formatter:on
+            .build();
        UserDetails admin = User.withUsername("admin")
            .password(passwordEncoder().encode("adminPass"))
            .roles("ADMIN")
            .build();
        return new InMemoryUserDetailsManager(user1, user2, admin);
    }
-    @Override
+    @Bean
-    protected void configure(final HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        // @formatter:off
+        http.csrf()
-        http
+            .disable()
                .csrf().disable()
            .authorizeRequests()
-                .antMatchers("/admin/**").hasRole("ADMIN")
+            .antMatchers("/admin/**")
-                .antMatchers("/anonymous*").anonymous()
+            .hasRole("ADMIN")
-                .antMatchers("/login*").permitAll()
+            .antMatchers("/anonymous*")
-                .anyRequest().authenticated()
+            .anonymous()
            .antMatchers("/login*")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/login.html")
            .loginProcessingUrl("/perform_login")
            .defaultSuccessUrl("/homepage.html", true)
-                //.failureUrl("/login.html?error=true")
+            // .failureUrl("/login.html?error=true")
            .failureHandler(authenticationFailureHandler())
            .and()
            .logout()
            .logoutUrl("/perform_logout")
            .deleteCookies("JSESSIONID")
            .logoutSuccessHandler(logoutSuccessHandler());
-        //.and()
+        // .and()
-        //.exceptionHandling().accessDeniedPage("/accessDenied");
+        // .exceptionHandling().accessDeniedPage("/accessDenied");
-        //.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
+        // .exceptionHandling().accessDeniedHandler(accessDeniedHandler());
-        // @formatter:on
+        return http.build();
    }
    @Bean
--- a/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/spring/ChannelSecSecurityConfig.java
+++ b/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/spring/ChannelSecSecurityConfig.java
@ -3,10 +3,12 @@ package com.baeldung.spring;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import com.baeldung.security.CustomLogoutSuccessHandler;
@ -15,31 +17,38 @@ import com.baeldung.security.CustomLogoutSuccessHandler;
 // @ImportResource({ "classpath:channelWebSecurityConfig.xml" })
@EnableWebSecurity
@Profile("https")
-public class ChannelSecSecurityConfig extends WebSecurityConfigurerAdapter {
+public class ChannelSecSecurityConfig {
-    @Override
+    @Bean
-    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
+    public InMemoryUserDetailsManager userDetailsService() {
-        // @formatter:off
+        UserDetails user1 = User.withUsername("user1")
-        auth.inMemoryAuthentication()
+            .password("user1Pass")
-        .withUser("user1").password("user1Pass").roles("USER")
+            .roles("USER")
-        .and()
+            .build();
-        .withUser("user2").password("user2Pass").roles("USER");
+        UserDetails user2 = User.withUsername("user2")
-        // @formatter:on
+            .password("user2Pass")
            .roles("USER")
            .build();
        return new InMemoryUserDetailsManager(user1, user2);
    }
-    @Override
+    @Bean
-    protected void configure(final HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        // @formatter:off
+        http.csrf()
-        http
+            .disable()
        .csrf().disable()
            .authorizeRequests()
-        .antMatchers("/anonymous*").anonymous()
+            .antMatchers("/anonymous*")
-        .antMatchers("/login*").permitAll()
+            .anonymous()
-        .anyRequest().authenticated()
+            .antMatchers("/login*")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .requiresChannel()
-        .antMatchers("/login*", "/perform_login").requiresSecure()
+            .antMatchers("/login*", "/perform_login")
-        .anyRequest().requiresInsecure()
+            .requiresSecure()
            .anyRequest()
            .requiresInsecure()
            .and()
            .sessionManagement()
            .sessionFixation()
@ -48,14 +57,14 @@ public class ChannelSecSecurityConfig extends WebSecurityConfigurerAdapter {
            .formLogin()
            .loginPage("/login.html")
            .loginProcessingUrl("/perform_login")
-        .defaultSuccessUrl("/homepage.html",true)
+            .defaultSuccessUrl("/homepage.html", true)
            .failureUrl("/login.html?error=true")
            .and()
            .logout()
            .logoutUrl("/perform_logout")
            .deleteCookies("JSESSIONID")
            .logoutSuccessHandler(logoutSuccessHandler());
-        // @formatter:on
+        return http.build();
    }
    @Bean
--- a/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/spring/RedirectionSecurityConfig.java
+++ b/spring-security-modules/spring-security-web-login/src/main/java/com/baeldung/spring/RedirectionSecurityConfig.java
@ -1,26 +1,30 @@
 package com.baeldung.spring;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 //@Configuration
 //@ImportResource({ "classpath:RedirectionWebSecurityConfig.xml" })
 //@EnableWebSecurity
 //@Profile("!https")
-public class RedirectionSecurityConfig extends WebSecurityConfigurerAdapter {
+public class RedirectionSecurityConfig {
-    @Override
+    @Bean
-    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
+    public InMemoryUserDetailsManager userDetailsService() {
-        auth.inMemoryAuthentication()
+        UserDetails user1 = User.withUsername("user1")
            .withUser("user1")
            .password("user1Pass")
-            .roles("USER");
+            .roles("USER")
            .build();
        return new InMemoryUserDetailsManager(user1);
    }
-    @Override
+    @Bean
-    protected void configure(final HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/login*")
            .permitAll()
@ -30,6 +34,7 @@ public class RedirectionSecurityConfig extends WebSecurityConfigurerAdapter {
            .formLogin()
            .successHandler(new SavedRequestAwareAuthenticationSuccessHandler());
        // .successHandler(new RefererAuthenticationSuccessHandler())
        return http.build();
    }
 }