Configure WebSecurity using WebSecurityCustomizer

Replace `WebSecurityConfigurer` and `WebSecurityConfigurerAdapter`
configurations with `WebSecurityCustomizer` or `SecurityFilterChain`
beans.

Closes gh-23421

Author: mbhave

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -64,6 +64,7 @@
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.servlet.DispatcherServlet;
@@ -158,18 +159,23 @@ private CorsConfiguration getCorsConfiguration() {
 	 * specific paths. The Cloud foundry endpoints are protected by their own security
 	 * interceptor.
 	 */
-	@ConditionalOnClass(WebSecurity.class)
-	@Order(SecurityProperties.IGNORED_ORDER)
+	@ConditionalOnClass({ WebSecurityCustomizer.class, WebSecurity.class })
 	@Configuration(proxyBeanMethods = false)
-	public static class IgnoredPathsWebSecurityConfigurer implements WebSecurityConfigurer<WebSecurity> {
+	public static class IgnoredCloudFoundryPathsWebSecurityConfiguration {
 
-		@Override
-		public void init(WebSecurity builder) throws Exception {
-			builder.ignoring().requestMatchers(new AntPathRequestMatcher("/cloudfoundryapplication/**"));
+		@Bean
+		IgnoredCloudFoundryPathsWebSecurityCustomizer ignoreCloudFoundryPathsWebSecurityCustomizer() {
+			return new IgnoredCloudFoundryPathsWebSecurityCustomizer();
 		}
 
+	}
+
+	@Order(SecurityProperties.IGNORED_ORDER)
+	static class IgnoredCloudFoundryPathsWebSecurityCustomizer implements WebSecurityCustomizer {
+
 		@Override
-		public void configure(WebSecurity builder) throws Exception {
+		public void customize(WebSecurity web) {
+			web.ignoring().requestMatchers(new AntPathRequestMatcher("/cloudfoundryapplication/**"));
 		}
 
 	}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java

@@ -31,6 +31,7 @@
 import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -49,7 +50,7 @@
  * @since 2.1.0
  */
 @Configuration(proxyBeanMethods = false)
-@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
+@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class })
 @ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
 @AutoConfigureBefore(SecurityAutoConfiguration.class)
@@ -58,19 +59,15 @@
 		OAuth2ResourceServerAutoConfiguration.class, Saml2RelyingPartyAutoConfiguration.class })
 public class ManagementWebSecurityAutoConfiguration {
 
-	@Configuration(proxyBeanMethods = false)
-	static class ManagementWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-			http.authorizeRequests((requests) -> {
-				requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
-				requests.anyRequest().authenticated();
-			});
-			http.formLogin(Customizer.withDefaults());
-			http.httpBasic(Customizer.withDefaults());
-		}
-
+	@Bean
+	SecurityFilterChain managementSecurityFilterChain(HttpSecurity http) throws Exception {
+		http.authorizeRequests((requests) -> {
+			requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
+			requests.anyRequest().authenticated();
+		});
+		http.formLogin(Customizer.withDefaults());
+		http.httpBasic(Customizer.withDefaults());
+		return http.build();
 	}
 
 }

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java

@@ -56,6 +56,8 @@
  */
 class ManagementWebSecurityAutoConfigurationTests {
 
+	private static final String MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN = "managementSecurityFilterChain";
+
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration(
 			AutoConfigurations.of(HealthContributorAutoConfiguration.class, HealthEndpointAutoConfiguration.class,
 					InfoEndpointAutoConfiguration.class, EnvironmentEndpointAutoConfiguration.class,
@@ -65,6 +67,7 @@ class ManagementWebSecurityAutoConfigurationTests {
 	@Test
 	void permitAllForHealth() {
 		this.contextRunner.run((context) -> {
+			assertThat(context).hasBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN);
 			HttpStatus status = getResponseStatus(context, "/actuator/health");
 			assertThat(status).isEqualTo(HttpStatus.OK);
 		});
@@ -127,8 +130,8 @@ void backsOffIfSecurityFilterChainBeanIsPresent() {
 	void backOffIfOAuth2ResourceServerAutoConfigurationPresent() {
 		this.contextRunner.withConfiguration(AutoConfigurations.of(OAuth2ResourceServerAutoConfiguration.class))
 				.withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://authserver")
-				.run((context) -> assertThat(context).doesNotHaveBean(
-						ManagementWebSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter.class));
+				.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
+						.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
 	}
 
 	@Test
@@ -139,8 +142,8 @@ void backOffIfSaml2RelyingPartyAutoConfigurationPresent() {
 						"spring.security.saml2.relyingparty.registration.simplesamlphp.identity-provider.single-sign-on.sign-request=false",
 						"spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
 						"spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.verification.credentials[0].certificate-location=classpath:saml/certificate-location")
-				.run((context) -> assertThat(context).doesNotHaveBean(
-						ManagementWebSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter.class));
+				.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
+						.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
 	}
 
 	private HttpStatus getResponseStatus(AssertableWebApplicationContext context, String path)

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java

@@ -54,15 +54,16 @@ OAuth2AuthorizedClientRepository authorizedClientRepository(OAuth2AuthorizedClie
 	}
 
 	@Configuration(proxyBeanMethods = false)
-	@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
+	@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class })
 	@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class })
-	static class OAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
+	static class OAuth2SecurityFilterChainConfiguration {
 
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
+		@Bean
+		SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http) throws Exception {
 			http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
 			http.oauth2Login(Customizer.withDefaults());
 			http.oauth2Client();
+			return http.build();
 		}
 
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java

@@ -50,7 +50,6 @@
  * @author HaiTao Zhang
  */
 @Configuration(proxyBeanMethods = false)
-
 class OAuth2ResourceServerJwtConfiguration {
 
 	@Configuration(proxyBeanMethods = false)
@@ -98,22 +97,16 @@ JwtDecoder jwtDecoderByIssuerUri() {
 	}
 
 	@Configuration(proxyBeanMethods = false)
-	@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
+	@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class })
 	@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class })
-	static class OAuth2WebSecurityConfigurerAdapter {
+	static class OAuth2SecurityFilterChainConfiguration {
 
 		@Bean
 		@ConditionalOnBean(JwtDecoder.class)
-		WebSecurityConfigurerAdapter jwtDecoderWebSecurityConfigurerAdapter() {
-			return new WebSecurityConfigurerAdapter() {
-
-				@Override
-				protected void configure(HttpSecurity http) throws Exception {
-					http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
-					http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
-				}
-
-			};
+		SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http) throws Exception {
+			http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
+			http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+			return http.build();
 		}
 
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java

@@ -56,20 +56,14 @@ NimbusOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProper
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
 	@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class })
-	static class OAuth2WebSecurityConfigurerAdapter {
+	static class OAuth2SecurityFilterChainConfiguration {
 
 		@Bean
 		@ConditionalOnBean(OpaqueTokenIntrospector.class)
-		WebSecurityConfigurerAdapter opaqueTokenWebSecurityConfigurerAdapter() {
-			return new WebSecurityConfigurerAdapter() {
-
-				@Override
-				protected void configure(HttpSecurity http) throws Exception {
-					http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
-					http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
-				}
-
-			};
+		SecurityFilterChain opaqueTokenSecurityFilterChain(HttpSecurity http) throws Exception {
+			http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
+			http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
+			return http.build();
 		}
 
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/Oauth2ResourceServerConfiguration.java

@@ -32,14 +32,14 @@ class Oauth2ResourceServerConfiguration {
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnClass(JwtDecoder.class)
 	@Import({ OAuth2ResourceServerJwtConfiguration.JwtDecoderConfiguration.class,
-			OAuth2ResourceServerJwtConfiguration.OAuth2WebSecurityConfigurerAdapter.class })
+			OAuth2ResourceServerJwtConfiguration.OAuth2SecurityFilterChainConfiguration.class })
 	static class JwtConfiguration {
 
 	}
 
 	@Configuration(proxyBeanMethods = false)
 	@Import({ OAuth2ResourceServerOpaqueTokenConfiguration.OpaqueTokenIntrospectionClientConfiguration.class,
-			OAuth2ResourceServerOpaqueTokenConfiguration.OAuth2WebSecurityConfigurerAdapter.class })
+			OAuth2ResourceServerOpaqueTokenConfiguration.OAuth2SecurityFilterChainConfiguration.class })
 	static class OpaqueTokenConfiguration {
 
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java

@@ -19,6 +19,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -32,19 +33,15 @@
  * @author Madhura Bhave
  */
 @Configuration(proxyBeanMethods = false)
-@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class })
+@ConditionalOnMissingBean({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
 @ConditionalOnBean(RelyingPartyRegistrationRepository.class)
-@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
+@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class })
 class Saml2LoginConfiguration {
 
-	@Configuration(proxyBeanMethods = false)
-	static class Saml2LoginConfigurerAdapter extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-			http.authorizeRequests((requests) -> requests.anyRequest().authenticated()).saml2Login();
-		}
-
+	@Bean
+	SecurityFilterChain samlSecurityFilterChain(HttpSecurity http) throws Exception {
+		http.authorizeRequests((requests) -> requests.anyRequest().authenticated()).saml2Login();
+		return http.build();
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java

@@ -21,8 +21,10 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.SecurityFilterChain;
 
@@ -37,15 +39,16 @@
  * @author Madhura Bhave
  */
 @Configuration(proxyBeanMethods = false)
-@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
-@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class })
+@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class })
+@ConditionalOnMissingBean({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class })
 @ConditionalOnWebApplication(type = Type.SERVLET)
 class SpringBootWebSecurityConfiguration {
 
-	@Configuration(proxyBeanMethods = false)
+	@Bean
 	@Order(SecurityProperties.BASIC_AUTH_ORDER)
-	static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
-
+	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+		http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
+		return http.build();
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfigurationTests.java

@@ -117,7 +117,7 @@ void configurationRegistersAuthorizedClientRepositoryBean() {
 	}
 
 	@Test
-	void securityConfigurerBacksOffBacksOffWhenOtherWebSecurityAdapterPresent() {
+	void securityFilterChainConfigBacksOffWhenOtherWebSecurityAdapterPresent() {
 		this.contextRunner
 				.withUserConfiguration(TestWebSecurityConfigurerConfig.class, OAuth2WebSecurityConfiguration.class)
 				.run((context) -> {
@@ -128,7 +128,7 @@ void securityConfigurerBacksOffBacksOffWhenOtherWebSecurityAdapterPresent() {
 	}
 
 	@Test
-	void securityConfigurerBacksOffBacksOffWhenOtherSecurityFilterChainBeanPresent() {
+	void securityFilterChainConfigBacksOffWhenOtherSecurityFilterChainBeanPresent() {
 		this.contextRunner
 				.withUserConfiguration(TestSecurityFilterChainConfig.class, OAuth2WebSecurityConfiguration.class)
 				.run((context) -> {
@@ -139,7 +139,7 @@ void securityConfigurerBacksOffBacksOffWhenOtherSecurityFilterChainBeanPresent()
 	}
 
 	@Test
-	void securityConfigurerBacksOffConditionalOnSecurityFilterChainClass() {
+	void securityFilterChainConfigConditionalOnSecurityFilterChainClass() {
 		this.contextRunner
 				.withUserConfiguration(ClientRegistrationRepositoryConfiguration.class,
 						OAuth2WebSecurityConfiguration.class)

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java

@@ -38,6 +38,7 @@
 import org.springframework.core.io.Resource;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@@ -220,6 +221,11 @@ RelyingPartyRegistrationRepository testRegistrationRepository() {
 
 	}
 
+	@EnableWebSecurity
+	static class WebSecurityEnablerConfiguration {
+
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	static class WebSecurityConfigurerAdapterConfiguration {
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java

@@ -76,6 +76,12 @@ void enableWebSecurityIsConditionalOnClass() {
 				.run((context) -> assertThat(context).doesNotHaveBean("springSecurityFilterChain"));
 	}
 
+	@Test
+	void filterChainBeanIsConditionalOnClassSecurityFilterChain() {
+		this.contextRunner.withClassLoader(new FilteredClassLoader(SecurityFilterChain.class))
+				.run((context) -> assertThat(context).doesNotHaveBean(SecurityFilterChain.class));
+	}
+
 	@Test
 	void securityConfigurerBacksOffWhenOtherSecurityFilterChainBeanPresent() {
 		this.contextRunner.withUserConfiguration(TestSecurityFilterChainConfig.class).run((context) -> {