0

I am updating from Springboot 2.7.x to 3.1.x version and noticed that there is a change to the Security configuration. I followed the steps provided in the Spring Security and facing issue converting below configuration to the latest that is supported in Springboot 3.1.x.

Could someone please help with the new configuration.

Facing issue rewriting below:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(STATELESS).and().exceptionHandling()
            .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS).and()
            .csrf().disable().authorizeRequests()
            .anyRequest().authenticated()
            .and().httpBasic()
            .authenticationEntryPoint(AuthenticationEntryPoint);
  }

Full code:

package test.config;

import lombok.RequiredArgsConstructor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

import static org.springframework.http.HttpStatus.FORBIDDEN;
import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@RequiredArgsConstructor
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(new AntPathRequestMatcher("/public/**/**"));
    private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS);
    private final AuthenticationEntryPoint AuthenticationEntryPoint;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Bean
    private static AuthenticationEntryPoint forbiddenEntryPoint() {
        return new HttpStatusEntryPoint(FORBIDDEN);
    }

    @Override
    public void configure(WebSecurity web) {
        web.ignoring().requestMatchers(PUBLIC_URLS);
        web.ignoring().antMatchers("/", "/csrf", "/configuration/ui", "/webjars/**", "/actuator", "/actuator/*");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(STATELESS).and().exceptionHandling()
                .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS).and()
                .csrf().disable().authorizeRequests()
                .anyRequest().authenticated()
                .and().httpBasic()
                .authenticationEntryPoint(AuthenticationEntryPoint);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("userName").password(passwordEncoder.encode("passWord")).roles("Application");
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

Also tried solutions provided in the link: https://www.bezkoder.com/websecurityconfigureradapter-deprecated-spring-boot/

Nani
  • 29
  • 4

1 Answers1

1

From Spring Security 6 WebSecurityConfigurerAdapter was deprecated, and you need to have same little changes, for more details how to change check it and Migration Guide

And about your problem what you have with:

protected void configure(HttpSecurity http) throws Exception

You should change it to:

  @Bean
  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.sessionManagement(sessionAuthenticationStrategy ->
        sessionAuthenticationStrategy.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
    http.exceptionHandling(eH -> eH.defaultAuthenticationEntryPointFor(
        forbiddenEntryPoint(), PROTECTED_URLS
    ));
    http
        .csrf(AbstractHttpConfigurer::disable);
    http.authorizeHttpRequests(request ->{
      request.anyRequest().authenticated();
    });
    http.httpBasic(Customizer.withDefaults());
    
    return http.build();
  };
Andrei Lisa
  • 1,361
  • 3
  • 11