Deprecate WebSecurityConfigurerAdapter #10822
Comments
eleftherias
added
in: config
|
Thanks for your efforts, I noticed that https://docs.spring.io/spring-security/reference/5.7.0-M1/servlet/configuration/java.html documentation has not been updated, so I am a little confused, something like this How should the scene migrate |
|
Thanks for bringing this up @linghengqian. The reference documentation was updated as part of gh-10003 and will be available in 5.7.0-M2. We will also share a blog post on how to migrate common use-cases when we release 5.7.0-M2. The configuration you share above can be rewritten as follows: @Configuration
public class SecurityConfiguration {
@Bean
@Order(1)
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
// you probably want a request matcher since you are using @Order
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.apply(customDsl());
return http.build();
}
}
public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
http.addFilter(new TokenAuthFilter(authenticationManager));
}
public static MyCustomDsl customDsl() {
return new MyCustomDsl();
}
} |
|
Closed via e97c643 |
|
The related blog post containing common use-cases https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter |
|
huge change |
|
It is not a good practice to both modify the input parameter and return a value. I would not write some method like this if I have a choice. |
If you need to configure Multiple HttpSecurity, you'll find WebSecurityConfigurerAdapter not intuitive to the code and add a layer of burden. To be honest, WebFlux's thinking in this area is pretty good and worth changing. |
|
configure() method returns void, so I understand that it will create side effects. The method securityFilterChain() returns a value, so it should not create side effects (changing input). Is there any chance to improve this method? |
|
@tha2015 The |
|
When a method modifying its parameters, it is causing side effects. I had a look to how webflux and security is configured. One example is return http.authorizeExchange() which looks better because it is like a builder pattern and from this snippet, I don't see the parameter is modified (although it might actually do the same , i.e. modifying the parameter, as you said). Your example clearly shows that input is modified and a value is returned. I am not saying it doesn't work. But this design could be improved by either returning a value without modifying input, or using parameter as in/out parameter and returning void. |
|
Actually builder pattern does modify the builder objects, so my thought about reactive example is not totally correct. Still I believe this design is confusing and we should try to improve it. From my perspective, a method should either:
I would not write a method which both modifying parameters and returning results. |
|
Hi, I have a function to configure the @Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}What is the recommended approach now? As I understand it I need to just have an AuthenticationManager Edit: Didn't notice the |
|
@arlyon There is no need to explicitly set the @Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
@Bean
public InMemoryUserDetailsManager userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}No need to configure anything on the Let us know if you run into issues with the above configuration. |
|
According to https://docs.spring.io/spring-security/reference/5.7.0-M3/servlet/appendix/namespace/authentication-manager.html, I don't see much response to @Order(1)
@Configuration
public static class ApiWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.httpBasic(withDefaults());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.eraseCredentials(false);
}
} |
|
@eleftherias thanks for the quick reply. I am using an Could you point me to somewhere in the codebase where this is supposed to happen so I may debug? |
I have the same problem with @arlyon and I've been seeing the above @bean UserDetailsService, but I got an error "No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken" whenever I tried to submit the login page. @Bean
public CustomUserDetailsService userDetailsService() {
return new CustomUserDetailsService();
}The new configuration is really quite confusing. There's no real transition from using WebSecurityConfigurerAdapter. I'm sure I'm not the only one who is scratching head for this changes. |
|
Thanks everyone for trying out the new configuration style! We have a team member monitoring the @arlyon and @elfwine if you're still having trouble feel free to post the quest on Stack Overflow and I, or someone else for the team, will answer them there. |
|
@eleftherias, hi. How can I config multiple instances of SecurityFilterChain? I have 2 places in project where I have HttpSecurity configuration. And I want to use the same HttpSecurity to extend my configuration but not override it. |
|
Have followed document from here to replace |
|
If anybody else have problems with try to use |
This is the right answer and replacement of Depracate WebSecurityConfigurerAdapter |
|
@Sparklll @netssfy May I know how you guys re using that? I am trying to migrate to this new way and using Ends up in a stackOverflowException in the |
Thanks for the reply. I found out the problem was due to I'm using AuthenticationManager in my @RestController as you mentioned. I managed to solve it by using returning a ProviderManager in the AuthenticationManager @bean in my @configuration as follow: But I'm not quite sure if it is best practice though. I'm still quite new in the Spring environment. |
|
@jackgon7 Your configuration confuses me a bit, and while I'd suggest hanging up to Stackoverflow to continue the discussion, there's actually no need to bother if you just need to instantiate an
|
|
Hello, Do you have any documentation for SAML2 config? |
|
Hi everyone, |
Thanks for this explanation, i been with this problem for 3 days and all i got to do was remove the @bean anotation from my inmemoryuserdetails i have in the websecurityconfig |
This comment was marked as resolved.
This comment was marked as resolved.
|
Dear all, The above method is called, however has no effect as Is it expected that the bean The solution was to add and the application started to work as expected. The documentation I read before posting:
UPD: Posted to stackoverflow. |
|
I'm running into issues as I have a locally defined AuthenticationFilter implementation. The now deprecated/old way was: But I'm unable to wire in my AuthenticationManager instance as it is null. The definition of the filter happens in my which is why I'm unable to wire in the authentication manager as suggested above. @eleftherias unfortunately I am unable to find a comparable issue on StackOverflow. Hoping you can help somehow or point me to an example that works with SpringBoot3 and Spring6. Thanks. |
Thank you so much for posting this! It saved me big time. |
|
Hi, If you are living to problem about using AuthenticationManagerBuilder without extends WebSecurityConfigurerAdapter and taken a problem like You can use add the OR, you can use this method |
|
What about default configuration of
How can I disable these defaults without extending
|
Hello, I have problem @configuration } ` |
|
When I followed the workarounds proposed in this issue I ran into #13620 - does anyone else have similar issues? |
and others
With the following issues closed we've added the ability to configure the security of an application without needing the
WebSecurityConfigurerAdapter.Related issues:
Background
Below is additional information on why
WebSecurityConfigurerAdapteris being deprecated.WebSecurityConfigurerAdapterandHttpSecurityDSL were created to work around spring-projects/spring-framework#18353 Unfortunately,WebSecurityConfigurerAdapterdesign is flawed causing quite a few problems that cannot be properly fixed.Does Not Expose Beans
The first is that rather than exposing Beans, it silently creates objects that cannot be used by the underlying application or by Spring Boot for auto configuration. This makes it difficult for Boot to know if an
AuthenticationManagerneeds to be created or not. It also makes it difficult for users to leverage anAuthenticationManagerin their own code as a Bean.Instead, it is preferred that users expose an
AuthenticationManager(orAuthenticationProviderorUserDetailsService) as aBeanso it can be used by the rest of the application.Beans Cannot be Injected via Method Arguments
Another issue with
WebSecurityConfigurerAdapteris that the static nature of the method signatures means that Security configuration does not follow best practices of passing in the Beans by method arguments. Instead, dependencies must be injected into member variables or resolved through method references.While there is nothing inherently wrong with this, it doesn't follow best practices causing several limitations.
When using method arguments for Bean dependencies Spring knows exactly which Beans are dependencies before Object creation takes place. This means the minimal Object graph can be created. When using member variables,
@Autowiredmethods on the configuration class, etc Spring needs to initialize the entire@Configurationto resolve the Bean. Similar problems happen when using method references to resolve Beans.Not being able to determine the minimal dependencies of a Bean leads to
BeanCurrentlyInCreationException(e.g. gh-4489 ) andAlreadyBuiltExceptionbeing thrown (e.g. gh-3916). Again, this happens in large part due to not having as much information about the Object graph since parameters are not used to inject the Bean dependencies.The text was updated successfully, but these errors were encountered: