From d9c5c8e37c655e3e61526ffb385e43ec5469f143 Mon Sep 17 00:00:00 2001 From: anuragkumawat Date: Wed, 5 Oct 2022 23:50:43 +0530 Subject: [PATCH] JAVA-14873 Update spring-security-web-boot-2 module under spring-security-modules to remove usage of deprecated WebSecurityConfigurerAdapter (#12772) --- .../customlogouthandler/MvcConfiguration.java | 49 ++++----- .../h2/config/SecurityConfiguration.java | 40 +++---- .../LoginRedirectSecurityConfig.java | 57 ++++++---- .../MultipleAuthProvidersSecurityConfig.java | 28 ++--- .../MultipleEntryPointsSecurityConfig.java | 33 +++--- .../MultipleLoginSecurityConfig.java | 100 ++++++++++++------ .../java/com/baeldung/ssl/SecurityConfig.java | 14 +-- 7 files changed, 193 insertions(+), 128 deletions(-) diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/customlogouthandler/MvcConfiguration.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/customlogouthandler/MvcConfiguration.java index c363effb4e..a0900b976a 100644 --- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/customlogouthandler/MvcConfiguration.java +++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/customlogouthandler/MvcConfiguration.java @@ -3,20 +3,21 @@ package com.baeldung.customlogouthandler; import javax.sql.DataSource; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.provisioning.JdbcUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler; import com.baeldung.customlogouthandler.web.CustomLogoutHandler; @Configuration @EnableWebSecurity -public class MvcConfiguration extends WebSecurityConfigurerAdapter { +public class MvcConfiguration { @Autowired private DataSource dataSource; @@ -24,32 +25,32 @@ public class MvcConfiguration extends WebSecurityConfigurerAdapter { @Autowired private CustomLogoutHandler logoutHandler; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.httpBasic() .and() - .authorizeRequests() - .antMatchers(HttpMethod.GET, "/user/**") - .hasRole("USER") + .authorizeRequests() + .antMatchers(HttpMethod.GET, "/user/**") + .hasRole("USER") .and() - .logout() - .logoutUrl("/user/logout") - .addLogoutHandler(logoutHandler) - .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)) - .permitAll() + .logout() + .logoutUrl("/user/logout") + .addLogoutHandler(logoutHandler) + .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)) + .permitAll() .and() - .csrf() - .disable() - .formLogin() - .disable(); + .csrf() + .disable() + .formLogin() + .disable(); + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.jdbcAuthentication() - .dataSource(dataSource) - .usersByUsernameQuery("select login, password, true from users where login=?") - .authoritiesByUsernameQuery("select login, role from users where login=?"); + @Bean + public JdbcUserDetailsManager jdbcUserDetailsManager() throws Exception { + JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager(dataSource); + jdbcUserDetailsManager.setUsersByUsernameQuery("select login, password, true from users where login=?"); + jdbcUserDetailsManager.setAuthoritiesByUsernameQuery("select login, role from users where login=?"); + return jdbcUserDetailsManager; } - } diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/jdbcauthentication/h2/config/SecurityConfiguration.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/jdbcauthentication/h2/config/SecurityConfiguration.java index 49804e8458..f648383892 100644 --- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/jdbcauthentication/h2/config/SecurityConfiguration.java +++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/jdbcauthentication/h2/config/SecurityConfiguration.java @@ -1,20 +1,21 @@ package com.baeldung.jdbcauthentication.h2.config; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.core.userdetails.User; -import org.springframework.security.crypto.password.PasswordEncoder; - import javax.sql.DataSource; -@Configuration -public class SecurityConfiguration extends WebSecurityConfigurerAdapter { +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.web.SecurityFilterChain; - @Override - protected void configure(HttpSecurity httpSecurity) throws Exception { +@Configuration +public class SecurityConfiguration { + + @Bean + public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception { httpSecurity.authorizeRequests() .antMatchers("/h2-console/**") .permitAll() @@ -28,18 +29,17 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { httpSecurity.headers() .frameOptions() .sameOrigin(); + return httpSecurity.build(); } @Autowired - public void configureGlobal(AuthenticationManagerBuilder auth, - DataSource dataSource, - PasswordEncoder passwordEncoder) throws Exception { + public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource, PasswordEncoder passwordEncoder) throws Exception { auth.jdbcAuthentication() - .dataSource(dataSource) - .withDefaultSchema() - .withUser(User.withUsername("user") - .password(passwordEncoder.encode("pass")) - .roles("USER")); + .dataSource(dataSource) + .withDefaultSchema() + .withUser(User.withUsername("user") + .password(passwordEncoder.encode("pass")) + .roles("USER")); } } \ No newline at end of file diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginRedirectSecurityConfig.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginRedirectSecurityConfig.java index 8bd3200608..2b69dc855b 100644 --- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginRedirectSecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginRedirectSecurityConfig.java @@ -2,38 +2,53 @@ package com.baeldung.loginredirect; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @Configuration @EnableWebSecurity -class LoginRedirectSecurityConfig extends WebSecurityConfigurerAdapter { +class LoginRedirectSecurityConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication().withUser("user").password(encoder().encode("user")).roles("USER"); + @Bean + public InMemoryUserDetailsManager userDetailsService() { + UserDetails user = User.withUsername("user") + .password(encoder().encode("user")) + .roles("USER") + .build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(HttpSecurity http) throws Exception { - - http - .addFilterAfter(new LoginPageFilter(), UsernamePasswordAuthenticationFilter.class) - - .authorizeRequests() - .antMatchers("/loginUser").permitAll() - .antMatchers("/user*").hasRole("USER") - - .and().formLogin().loginPage("/loginUser").loginProcessingUrl("/user_login") - .failureUrl("/loginUser?error=loginError").defaultSuccessUrl("/userMainPage").permitAll() - - .and().logout().logoutUrl("/user_logout").logoutSuccessUrl("/loginUser").deleteCookies("JSESSIONID") - .and().csrf().disable(); + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http.addFilterAfter(new LoginPageFilter(), UsernamePasswordAuthenticationFilter.class) + .authorizeRequests() + .antMatchers("/loginUser") + .permitAll() + .antMatchers("/user*") + .hasRole("USER") + .and() + .formLogin() + .loginPage("/loginUser") + .loginProcessingUrl("/user_login") + .failureUrl("/loginUser?error=loginError") + .defaultSuccessUrl("/userMainPage") + .permitAll() + .and() + .logout() + .logoutUrl("/user_logout") + .logoutSuccessUrl("/loginUser") + .deleteCookies("JSESSIONID") + .and() + .csrf() + .disable(); + return http.build(); } @Bean diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleauthproviders/MultipleAuthProvidersSecurityConfig.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleauthproviders/MultipleAuthProvidersSecurityConfig.java index aa2ffc9046..fa2a7b2171 100644 --- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleauthproviders/MultipleAuthProvidersSecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleauthproviders/MultipleAuthProvidersSecurityConfig.java @@ -2,39 +2,43 @@ package com.baeldung.multipleauthproviders; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; +import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.web.SecurityFilterChain; @EnableWebSecurity -public class MultipleAuthProvidersSecurityConfig extends WebSecurityConfigurerAdapter { +public class MultipleAuthProvidersSecurityConfig { @Autowired CustomAuthenticationProvider customAuthProvider; - @Override - public void configure(AuthenticationManagerBuilder auth) throws Exception { - - auth.authenticationProvider(customAuthProvider); - - auth.inMemoryAuthentication() + @Bean + public AuthenticationManager authManager(HttpSecurity http) throws Exception { + AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class); + authenticationManagerBuilder.authenticationProvider(customAuthProvider); + authenticationManagerBuilder.inMemoryAuthentication() .withUser("memuser") .password(passwordEncoder().encode("pass")) .roles("USER"); + return authenticationManagerBuilder.build(); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authManager) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers("/api/**") - .authenticated(); + .authenticated() + .and() + .authenticationManager(authManager); + return http.build(); } - + @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleentrypoints/MultipleEntryPointsSecurityConfig.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleentrypoints/MultipleEntryPointsSecurityConfig.java index b6155fc100..46fc4880fa 100644 --- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleentrypoints/MultipleEntryPointsSecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleentrypoints/MultipleEntryPointsSecurityConfig.java @@ -5,13 +5,13 @@ import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @@ -35,18 +35,17 @@ public class MultipleEntryPointsSecurityConfig { @Configuration @Order(1) - public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter { + public static class App1ConfigurationAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - //@formatter:off + @Bean + public SecurityFilterChain filterChainApp1(HttpSecurity http) throws Exception { http.antMatcher("/admin/**") .authorizeRequests().anyRequest().hasRole("ADMIN") .and().httpBasic().authenticationEntryPoint(authenticationEntryPoint()) .and().exceptionHandling().accessDeniedPage("/403"); - //@formatter:on + return http.build(); } - + @Bean public AuthenticationEntryPoint authenticationEntryPoint(){ BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint(); @@ -57,11 +56,10 @@ public class MultipleEntryPointsSecurityConfig { @Configuration @Order(2) - public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter { + public static class App2ConfigurationAdapter { - protected void configure(HttpSecurity http) throws Exception { - - //@formatter:off + @Bean + public SecurityFilterChain filterChainApp2(HttpSecurity http) throws Exception { http.antMatcher("/user/**") .authorizeRequests().anyRequest().hasRole("USER") .and().formLogin().loginProcessingUrl("/user/login") @@ -73,7 +71,7 @@ public class MultipleEntryPointsSecurityConfig { .defaultAuthenticationEntryPointFor(loginUrlauthenticationEntryPoint(), new AntPathRequestMatcher("/user/general/**")) .accessDeniedPage("/403") .and().csrf().disable(); - //@formatter:on + return http.build(); } @Bean @@ -89,10 +87,15 @@ public class MultipleEntryPointsSecurityConfig { @Configuration @Order(3) - public static class App3ConfigurationAdapter extends WebSecurityConfigurerAdapter { + public static class App3ConfigurationAdapter { - protected void configure(HttpSecurity http) throws Exception { - http.antMatcher("/guest/**").authorizeRequests().anyRequest().permitAll(); + @Bean + public SecurityFilterChain filterChainApp3(HttpSecurity http) throws Exception { + http.antMatcher("/guest/**") + .authorizeRequests() + .anyRequest() + .permitAll(); + return http.build(); } } diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multiplelogin/MultipleLoginSecurityConfig.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multiplelogin/MultipleLoginSecurityConfig.java index 3d12951f39..e5079e5549 100644 --- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multiplelogin/MultipleLoginSecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multiplelogin/MultipleLoginSecurityConfig.java @@ -3,15 +3,15 @@ package com.baeldung.multiplelogin; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; @Configuration @EnableWebSecurity @@ -32,46 +32,86 @@ public class MultipleLoginSecurityConfig { @Configuration @Order(1) - public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter { + public static class App1ConfigurationAdapter { - public App1ConfigurationAdapter() { - super(); + @Bean + public UserDetailsService userDetailsServiceApp1() { + UserDetails user = User.withUsername("admin") + .password(encoder().encode("admin")) + .roles("ADMIN") + .build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication().withUser("admin").password(encoder().encode("admin")).roles("ADMIN"); - } + @Bean + public SecurityFilterChain filterChainApp1(HttpSecurity http) throws Exception { + http.antMatcher("/admin*") + .authorizeRequests() + .anyRequest() + .hasRole("ADMIN") + // log in + .and() + .formLogin() + .loginPage("/loginAdmin") + .loginProcessingUrl("/admin_login") + .failureUrl("/loginAdmin?error=loginError") + .defaultSuccessUrl("/adminPage") + // logout + .and() + .logout() + .logoutUrl("/admin_logout") + .logoutSuccessUrl("/protectedLinks") + .deleteCookies("JSESSIONID") + .and() + .exceptionHandling() + .accessDeniedPage("/403") + .and() + .csrf() + .disable(); - @Override - protected void configure(HttpSecurity http) throws Exception { - http.antMatcher("/admin*").authorizeRequests().anyRequest().hasRole("ADMIN") - // log in - .and().formLogin().loginPage("/loginAdmin").loginProcessingUrl("/admin_login").failureUrl("/loginAdmin?error=loginError").defaultSuccessUrl("/adminPage") - // logout - .and().logout().logoutUrl("/admin_logout").logoutSuccessUrl("/protectedLinks").deleteCookies("JSESSIONID").and().exceptionHandling().accessDeniedPage("/403").and().csrf().disable(); + return http.build(); } } @Configuration @Order(2) - public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter { + public static class App2ConfigurationAdapter { - public App2ConfigurationAdapter() { - super(); + @Bean + public UserDetailsService userDetailsServiceApp2() { + UserDetails user = User.withUsername("user") + .password(encoder().encode("user")) + .roles("USER") + .build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication().withUser("user").password(encoder().encode("user")).roles("USER"); - } - - protected void configure(HttpSecurity http) throws Exception { - http.antMatcher("/user*").authorizeRequests().anyRequest().hasRole("USER") - // log in - .and().formLogin().loginPage("/loginUser").loginProcessingUrl("/user_login").failureUrl("/loginUser?error=loginError").defaultSuccessUrl("/userPage") - // logout - .and().logout().logoutUrl("/user_logout").logoutSuccessUrl("/protectedLinks").deleteCookies("JSESSIONID").and().exceptionHandling().accessDeniedPage("/403").and().csrf().disable(); + @Bean + public SecurityFilterChain filterChainApp2(HttpSecurity http) throws Exception { + http.antMatcher("/user*") + .authorizeRequests() + .anyRequest() + .hasRole("USER") + // log in + .and() + .formLogin() + .loginPage("/loginUser") + .loginProcessingUrl("/user_login") + .failureUrl("/loginUser?error=loginError") + .defaultSuccessUrl("/userPage") + // logout + .and() + .logout() + .logoutUrl("/user_logout") + .logoutSuccessUrl("/protectedLinks") + .deleteCookies("JSESSIONID") + .and() + .exceptionHandling() + .accessDeniedPage("/403") + .and() + .csrf() + .disable(); + return http.build(); } } diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/ssl/SecurityConfig.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/ssl/SecurityConfig.java index 4bddf0592a..b92e83039b 100644 --- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/ssl/SecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/ssl/SecurityConfig.java @@ -1,16 +1,18 @@ package com.baeldung.ssl; +import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; @EnableWebSecurity -public class SecurityConfig extends WebSecurityConfigurerAdapter { +public class SecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeRequests() - .antMatchers("/**") - .permitAll(); + .antMatchers("/**") + .permitAll(); + return http.build(); } }