JAVA-14873 Update spring-security-web-boot-2 module under spring-security-modules to remove usage of deprecated WebSecurityConfigurerAdapter (#12772)

spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/customlogouthandler/MvcConfiguration.java

@@ -3,20 +3,21 @@ package com.baeldung.customlogouthandler;
 import javax.sql.DataSource;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.provisioning.JdbcUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
 
 import com.baeldung.customlogouthandler.web.CustomLogoutHandler;
 
 @Configuration
 @EnableWebSecurity
-public class MvcConfiguration extends WebSecurityConfigurerAdapter {
+public class MvcConfiguration {
 
     @Autowired
     private DataSource dataSource;
@@ -24,8 +25,8 @@ public class MvcConfiguration extends WebSecurityConfigurerAdapter {
     @Autowired
     private CustomLogoutHandler logoutHandler;
 
-    @Override
+    @Bean
-    protected void configure(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.httpBasic()
             .and()
             .authorizeRequests()
@@ -42,14 +43,14 @@ public class MvcConfiguration extends WebSecurityConfigurerAdapter {
             .disable()
             .formLogin()
             .disable();
+        return http.build();
     }
 
-    @Override
+    @Bean
-    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+    public JdbcUserDetailsManager jdbcUserDetailsManager() throws Exception {
-        auth.jdbcAuthentication()
+        JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager(dataSource);
-            .dataSource(dataSource)
+        jdbcUserDetailsManager.setUsersByUsernameQuery("select login, password, true from users where login=?");
-            .usersByUsernameQuery("select login, password, true from users where login=?")
+        jdbcUserDetailsManager.setAuthoritiesByUsernameQuery("select login, role from users where login=?");
-            .authoritiesByUsernameQuery("select login, role from users where login=?");
+        return jdbcUserDetailsManager;
     }
-
 }

spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/jdbcauthentication/h2/config/SecurityConfiguration.java

@@ -1,20 +1,21 @@
 package com.baeldung.jdbcauthentication.h2.config;
 
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.crypto.password.PasswordEncoder;
-
 import javax.sql.DataSource;
 
-@Configuration
+import org.springframework.beans.factory.annotation.Autowired;
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 
-    @Override
+@Configuration
-    protected void configure(HttpSecurity httpSecurity) throws Exception {
+public class SecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
         httpSecurity.authorizeRequests()
             .antMatchers("/h2-console/**")
             .permitAll()
@@ -28,12 +29,11 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
         httpSecurity.headers()
             .frameOptions()
             .sameOrigin();
+        return httpSecurity.build();
     }
 
     @Autowired
-    public void configureGlobal(AuthenticationManagerBuilder auth,
+    public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource, PasswordEncoder passwordEncoder) throws Exception {
-                                DataSource dataSource,
-                                PasswordEncoder passwordEncoder) throws Exception {
         auth.jdbcAuthentication()
             .dataSource(dataSource)
             .withDefaultSchema()

spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginRedirectSecurityConfig.java

@@ -2,38 +2,53 @@ package com.baeldung.loginredirect;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
-class LoginRedirectSecurityConfig extends WebSecurityConfigurerAdapter {
+class LoginRedirectSecurityConfig {
 
-    @Override
+    @Bean
-    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+    public InMemoryUserDetailsManager userDetailsService() {
-        auth.inMemoryAuthentication().withUser("user").password(encoder().encode("user")).roles("USER");
+        UserDetails user = User.withUsername("user")
+            .password(encoder().encode("user"))
+            .roles("USER")
+            .build();
+        return new InMemoryUserDetailsManager(user);
     }
 
-    @Override
+    @Bean
-    protected void configure(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-
+        http.addFilterAfter(new LoginPageFilter(), UsernamePasswordAuthenticationFilter.class)
-        http
-          .addFilterAfter(new LoginPageFilter(), UsernamePasswordAuthenticationFilter.class)
-
             .authorizeRequests()
-          .antMatchers("/loginUser").permitAll()
+            .antMatchers("/loginUser")
-          .antMatchers("/user*").hasRole("USER")
+            .permitAll()
-
+            .antMatchers("/user*")
-          .and().formLogin().loginPage("/loginUser").loginProcessingUrl("/user_login")
+            .hasRole("USER")
-          .failureUrl("/loginUser?error=loginError").defaultSuccessUrl("/userMainPage").permitAll()
+            .and()
-
+            .formLogin()
-          .and().logout().logoutUrl("/user_logout").logoutSuccessUrl("/loginUser").deleteCookies("JSESSIONID")
+            .loginPage("/loginUser")
-          .and().csrf().disable();
+            .loginProcessingUrl("/user_login")
+            .failureUrl("/loginUser?error=loginError")
+            .defaultSuccessUrl("/userMainPage")
+            .permitAll()
+            .and()
+            .logout()
+            .logoutUrl("/user_logout")
+            .logoutSuccessUrl("/loginUser")
+            .deleteCookies("JSESSIONID")
+            .and()
+            .csrf()
+            .disable();
+        return http.build();
     }
 
     @Bean

spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleauthproviders/MultipleAuthProvidersSecurityConfig.java

@@ -2,37 +2,41 @@ package com.baeldung.multipleauthproviders;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 
 @EnableWebSecurity
-public class MultipleAuthProvidersSecurityConfig extends WebSecurityConfigurerAdapter {
+public class MultipleAuthProvidersSecurityConfig {
 
     @Autowired
     CustomAuthenticationProvider customAuthProvider;
 
-    @Override
+    @Bean
-    public void configure(AuthenticationManagerBuilder auth) throws Exception {
+    public AuthenticationManager authManager(HttpSecurity http) throws Exception {
-
+        AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
-        auth.authenticationProvider(customAuthProvider);
+        authenticationManagerBuilder.authenticationProvider(customAuthProvider);
-
+        authenticationManagerBuilder.inMemoryAuthentication()
-        auth.inMemoryAuthentication()
             .withUser("memuser")
             .password(passwordEncoder().encode("pass"))
             .roles("USER");
+        return authenticationManagerBuilder.build();
     }
 
-    @Override
+    @Bean
-    protected void configure(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authManager) throws Exception {
         http.httpBasic()
             .and()
             .authorizeRequests()
             .antMatchers("/api/**")
-            .authenticated();
+            .authenticated()
+            .and()
+            .authenticationManager(authManager);
+        return http.build();
     }
 
     @Bean

spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multipleentrypoints/MultipleEntryPointsSecurityConfig.java

@@ -5,13 +5,13 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -35,16 +35,15 @@ public class MultipleEntryPointsSecurityConfig {
 
     @Configuration
     @Order(1)
-    public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter {
+    public static class App1ConfigurationAdapter {
 
-        @Override
+        @Bean
-        protected void configure(HttpSecurity http) throws Exception {
+        public SecurityFilterChain filterChainApp1(HttpSecurity http) throws Exception {
-            //@formatter:off
             http.antMatcher("/admin/**")
                 .authorizeRequests().anyRequest().hasRole("ADMIN")
                 .and().httpBasic().authenticationEntryPoint(authenticationEntryPoint())    
                 .and().exceptionHandling().accessDeniedPage("/403");
-            //@formatter:on
+            return http.build();
         }
 
         @Bean
@@ -57,11 +56,10 @@ public class MultipleEntryPointsSecurityConfig {
 
     @Configuration
     @Order(2)
-    public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter {
+    public static class App2ConfigurationAdapter {
 
-        protected void configure(HttpSecurity http) throws Exception {
+        @Bean
-            
+        public SecurityFilterChain filterChainApp2(HttpSecurity http) throws Exception {
-            //@formatter:off
             http.antMatcher("/user/**")
                 .authorizeRequests().anyRequest().hasRole("USER")              
                 .and().formLogin().loginProcessingUrl("/user/login")
@@ -73,7 +71,7 @@ public class MultipleEntryPointsSecurityConfig {
                 .defaultAuthenticationEntryPointFor(loginUrlauthenticationEntryPoint(), new AntPathRequestMatcher("/user/general/**"))
                 .accessDeniedPage("/403")
                 .and().csrf().disable();
-            //@formatter:on
+            return http.build();
         }
         
         @Bean
@@ -89,10 +87,15 @@ public class MultipleEntryPointsSecurityConfig {
 
     @Configuration
     @Order(3)
-    public static class App3ConfigurationAdapter extends WebSecurityConfigurerAdapter {
+    public static class App3ConfigurationAdapter {
 
-        protected void configure(HttpSecurity http) throws Exception {
+        @Bean
-            http.antMatcher("/guest/**").authorizeRequests().anyRequest().permitAll();
+        public SecurityFilterChain filterChainApp3(HttpSecurity http) throws Exception {
+            http.antMatcher("/guest/**")
+                .authorizeRequests()
+                .anyRequest()
+                .permitAll();
+            return http.build();
         }
     }
 

spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/multiplelogin/MultipleLoginSecurityConfig.java

@@ -3,15 +3,15 @@ package com.baeldung.multiplelogin;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 @Configuration
 @EnableWebSecurity
@@ -32,46 +32,86 @@ public class MultipleLoginSecurityConfig {
 
     @Configuration
     @Order(1)
-    public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter {
+    public static class App1ConfigurationAdapter {
 
-        public App1ConfigurationAdapter() {
+        @Bean
-            super();
+        public UserDetailsService userDetailsServiceApp1() {
+            UserDetails user = User.withUsername("admin")
+                .password(encoder().encode("admin"))
+                .roles("ADMIN")
+                .build();
+            return new InMemoryUserDetailsManager(user);
         }
 
-        @Override
+        @Bean
-        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        public SecurityFilterChain filterChainApp1(HttpSecurity http) throws Exception {
-            auth.inMemoryAuthentication().withUser("admin").password(encoder().encode("admin")).roles("ADMIN");
+            http.antMatcher("/admin*")
-        }
+                .authorizeRequests()
-
+                .anyRequest()
-        @Override
+                .hasRole("ADMIN")
-        protected void configure(HttpSecurity http) throws Exception {
-            http.antMatcher("/admin*").authorizeRequests().anyRequest().hasRole("ADMIN")
                 // log in
-                    .and().formLogin().loginPage("/loginAdmin").loginProcessingUrl("/admin_login").failureUrl("/loginAdmin?error=loginError").defaultSuccessUrl("/adminPage")
+                .and()
+                .formLogin()
+                .loginPage("/loginAdmin")
+                .loginProcessingUrl("/admin_login")
+                .failureUrl("/loginAdmin?error=loginError")
+                .defaultSuccessUrl("/adminPage")
                 // logout
-                    .and().logout().logoutUrl("/admin_logout").logoutSuccessUrl("/protectedLinks").deleteCookies("JSESSIONID").and().exceptionHandling().accessDeniedPage("/403").and().csrf().disable();
+                .and()
+                .logout()
+                .logoutUrl("/admin_logout")
+                .logoutSuccessUrl("/protectedLinks")
+                .deleteCookies("JSESSIONID")
+                .and()
+                .exceptionHandling()
+                .accessDeniedPage("/403")
+                .and()
+                .csrf()
+                .disable();
+
+            return http.build();
         }
     }
 
     @Configuration
     @Order(2)
-    public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter {
+    public static class App2ConfigurationAdapter {
 
-        public App2ConfigurationAdapter() {
+        @Bean
-            super();
+        public UserDetailsService userDetailsServiceApp2() {
+            UserDetails user = User.withUsername("user")
+                .password(encoder().encode("user"))
+                .roles("USER")
+                .build();
+            return new InMemoryUserDetailsManager(user);
         }
 
-        @Override
+        @Bean
-        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        public SecurityFilterChain filterChainApp2(HttpSecurity http) throws Exception {
-            auth.inMemoryAuthentication().withUser("user").password(encoder().encode("user")).roles("USER");
+            http.antMatcher("/user*")
-        }
+                .authorizeRequests()
-
+                .anyRequest()
-        protected void configure(HttpSecurity http) throws Exception {
+                .hasRole("USER")
-            http.antMatcher("/user*").authorizeRequests().anyRequest().hasRole("USER")
                 // log in
-                    .and().formLogin().loginPage("/loginUser").loginProcessingUrl("/user_login").failureUrl("/loginUser?error=loginError").defaultSuccessUrl("/userPage")
+                .and()
+                .formLogin()
+                .loginPage("/loginUser")
+                .loginProcessingUrl("/user_login")
+                .failureUrl("/loginUser?error=loginError")
+                .defaultSuccessUrl("/userPage")
                 // logout
-                    .and().logout().logoutUrl("/user_logout").logoutSuccessUrl("/protectedLinks").deleteCookies("JSESSIONID").and().exceptionHandling().accessDeniedPage("/403").and().csrf().disable();
+                .and()
+                .logout()
+                .logoutUrl("/user_logout")
+                .logoutSuccessUrl("/protectedLinks")
+                .deleteCookies("JSESSIONID")
+                .and()
+                .exceptionHandling()
+                .accessDeniedPage("/403")
+                .and()
+                .csrf()
+                .disable();
+            return http.build();
         }
     }
 

spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/ssl/SecurityConfig.java

@@ -1,16 +1,18 @@
 package com.baeldung.ssl;
 
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 
 @EnableWebSecurity
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig {
 
-    @Override
+    @Bean
-    protected void configure(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.authorizeRequests()
             .antMatchers("/**")
             .permitAll();
+        return http.build();
     }
 }