Remove need for WebSecurityConfigurerAdapter

Closes gh-8804

Author: eleftherias

config/src/main/java/org/springframework/security/config/annotation/web/WebSecurityConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,14 +23,17 @@
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * Allows customization to the {@link WebSecurity}. In most instances users will use
- * {@link EnableWebSecurity} and create a {@link Configuration} that extends
- * {@link WebSecurityConfigurerAdapter} which will automatically be applied to the
- * {@link WebSecurity} by the {@link EnableWebSecurity} annotation.
+ * {@link EnableWebSecurity} and either create a {@link Configuration} that extends
+ * {@link WebSecurityConfigurerAdapter} or expose a {@link SecurityFilterChain} bean.
+ * Both will automatically be applied to the {@link WebSecurity} by the
+ * {@link EnableWebSecurity} annotation.
  *
  * @see WebSecurityConfigurerAdapter
+ * @see SecurityFilterChain
  *
  * @author Rob Winch
  * @since 3.2

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -283,7 +283,8 @@ protected Filter performBuild() throws Exception {
 		Assert.state(
 				!securityFilterChainBuilders.isEmpty(),
 				() -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "
-						+ "Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
+						+ "Typically this is done by exposing a SecurityFilterChain bean "
+						+ "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
 						+ "More advanced users can invoke "
 						+ WebSecurity.class.getSimpleName()
 						+ ".addSecurityFilterChainBuilder directly");

config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -74,7 +74,8 @@
 @Documented
 @Import({ WebSecurityConfiguration.class,
 		SpringWebMvcImportSelector.class,
-		OAuth2ImportSelector.class })
+		OAuth2ImportSelector.class,
+		HttpSecurityConfiguration.class})
 @EnableGlobalAuthentication
 @Configuration
 public @interface EnableWebSecurity {

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

@@ -0,0 +1,117 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configuration;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Scope;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer;
+import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.springframework.security.config.Customizer.withDefaults;
+
+/**
+ * {@link Configuration} that exposes the {@link HttpSecurity} bean.
+ *
+ * @author Eleftheria Stein
+ * @since 5.4
+ */
+@Configuration(proxyBeanMethods = false)
+class HttpSecurityConfiguration {
+	private static final String BEAN_NAME_PREFIX = "org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.";
+	private static final String HTTPSECURITY_BEAN_NAME = BEAN_NAME_PREFIX + "httpSecurity";
+
+	private ObjectPostProcessor<Object> objectPostProcessor;
+
+	private AuthenticationManager authenticationManager;
+
+	private AuthenticationConfiguration authenticationConfiguration;
+
+	private ApplicationContext context;
+
+	@Autowired
+	public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
+		this.objectPostProcessor = objectPostProcessor;
+	}
+
+	@Autowired(required = false)
+	void setAuthenticationManager(AuthenticationManager authenticationManager) {
+		this.authenticationManager = authenticationManager;
+	}
+
+	@Autowired
+	public void setAuthenticationConfiguration(
+			AuthenticationConfiguration authenticationConfiguration) {
+		this.authenticationConfiguration = authenticationConfiguration;
+	}
+
+	@Autowired
+	public void setApplicationContext(ApplicationContext context) {
+		this.context = context;
+	}
+
+	@Bean(HTTPSECURITY_BEAN_NAME)
+	@Scope("prototype")
+	public HttpSecurity httpSecurity() throws Exception {
+		WebSecurityConfigurerAdapter.LazyPasswordEncoder passwordEncoder =
+				new WebSecurityConfigurerAdapter.LazyPasswordEncoder(this.context);
+
+		AuthenticationManagerBuilder authenticationBuilder =
+				new WebSecurityConfigurerAdapter.DefaultPasswordEncoderAuthenticationManagerBuilder(this.objectPostProcessor, passwordEncoder);
+		authenticationBuilder.parentAuthenticationManager(authenticationManager());
+
+		HttpSecurity http = new HttpSecurity(objectPostProcessor, authenticationBuilder, createSharedObjects());
+		http
+				.csrf(withDefaults())
+				.addFilter(new WebAsyncManagerIntegrationFilter())
+				.exceptionHandling(withDefaults())
+				.headers(withDefaults())
+				.sessionManagement(withDefaults())
+				.securityContext(withDefaults())
+				.requestCache(withDefaults())
+				.anonymous(withDefaults())
+				.servletApi(withDefaults())
+				.logout(withDefaults())
+				.apply(new DefaultLoginPageConfigurer<>());
+
+		return http;
+	}
+
+	private AuthenticationManager authenticationManager() throws Exception {
+		if (this.authenticationManager != null) {
+			return this.authenticationManager;
+		} else {
+			return this.authenticationConfiguration.getAuthenticationManager();
+		}
+	}
+
+	private Map<Class<?>, Object> createSharedObjects() {
+		Map<Class<?>, Object> sharedObjects = new HashMap<>();
+		sharedObjects.put(ApplicationContext.class, context);
+		return sharedObjects;
+	}
+}

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import javax.servlet.Filter;
@@ -43,7 +44,9 @@
 import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 
 
@@ -70,6 +73,8 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 
 	private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers;
 
+	private List<SecurityFilterChain> securityFilterChains = Collections.emptyList();
+
 	private ClassLoader beanClassLoader;
 
 	@Autowired(required = false)
@@ -95,12 +100,27 @@ public SecurityExpressionHandler<FilterInvocation> webSecurityExpressionHandler(
 	public Filter springSecurityFilterChain() throws Exception {
 		boolean hasConfigurers = webSecurityConfigurers != null
 				&& !webSecurityConfigurers.isEmpty();
-		if (!hasConfigurers) {
+		boolean hasFilterChain = !securityFilterChains.isEmpty();
+		if (hasConfigurers && hasFilterChain) {
+			throw new IllegalStateException(
+					"Found WebSecurityConfigurerAdapter as well as SecurityFilterChain." +
+							"Please select just one.");
+		}
+		if (!hasConfigurers && !hasFilterChain) {
 			WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
 					.postProcess(new WebSecurityConfigurerAdapter() {
 					});
 			webSecurity.apply(adapter);
 		}
+		for (SecurityFilterChain securityFilterChain : securityFilterChains) {
+			webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
+			for (Filter filter : securityFilterChain.getFilters()) {
+				if (filter instanceof FilterSecurityInterceptor) {
+					webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
+					break;
+				}
+			}
+		}
 		return webSecurity.build();
 	}
 
@@ -158,6 +178,12 @@ public void setFilterChainProxySecurityConfigurer(
 		this.webSecurityConfigurers = webSecurityConfigurers;
 	}
 
+	@Autowired(required = false)
+	void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
+		securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);
+		this.securityFilterChains = securityFilterChains;
+	}
+
 	@Bean
 	public static BeanFactoryPostProcessor conversionServicePostProcessor() {
 		return new RsaKeyConversionServicePostProcessor();

config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -123,6 +124,32 @@ String principal(@AuthenticationPrincipal String principal) {
 		}
 	}
 
+	@Test
+	public void securityFilterChainWhenEnableWebMvcThenAuthenticationPrincipalResolvable() throws Exception {
+		this.spring.register(SecurityFilterChainAuthenticationPrincipalConfig.class).autowire();
+
+		this.mockMvc.perform(get("/").with(authentication(new TestingAuthenticationToken("user1", "password"))))
+			.andExpect(content().string("user1"));
+	}
+
+	@EnableWebSecurity
+	@EnableWebMvc
+	static class SecurityFilterChainAuthenticationPrincipalConfig {
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			return http.build();
+		}
+
+		@RestController
+		static class AuthController {
+
+			@GetMapping("/")
+			String principal(@AuthenticationPrincipal String principal) {
+				return principal;
+			}
+		}
+	}
+
 	@Test
 	public void enableWebSecurityWhenNoConfigurationAnnotationThenBeanProxyingEnabled() {
 		this.spring.register(BeanProxyEnabledByDefaultConfig.class).autowire();