Skip to content

Remove need for WebSecurityConfigurerAdapter #8805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 5, 2020
Merged

Remove need for WebSecurityConfigurerAdapter #8805

merged 1 commit into from
Aug 5, 2020

Conversation

eleftherias
Copy link
Contributor

Closes gh-8804

@eleftherias eleftherias added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Jul 7, 2020
@rwinch
Copy link
Member

rwinch commented Jul 8, 2020

I also wonder if we should consider deprecating WebSecurityConfigurerAdapter and update the samples? Perhaps that is something for another issue?

@eleftherias eleftherias force-pushed the no-websecurityconfigureradapter branch from 6272b3c to 49d677c Compare July 9, 2020 08:17
@eleftherias eleftherias mentioned this pull request Jul 9, 2020
Closed
@eleftherias
Copy link
Contributor Author

@rwinch I created gh-8821 to update the samples.

I had not thought about deprecating WebSecurityConfigurerAdapter.
It may come as a surprise to users, since it is such a core part of Spring Security.
Maybe we can consider deprecating it in 5.5, once everyone is familiar with the SecurityFilterChain bean approach.

@rwinch
Copy link
Member

rwinch commented Jul 10, 2020

If we are going to deprecate it, I'd rather give users more time to update. The deprecation can give instructions on how to migrate (which shouldn't be too painful). We'd likely remove the support next year in 6.0, but certainly no sooner.

@eleftherias eleftherias force-pushed the no-websecurityconfigureradapter branch from 49d677c to 43e3763 Compare July 13, 2020 15:33
rwinch
rwinch approved these changes Jul 27, 2020
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the responses. It looks good to me

jzheaux
jzheaux reviewed Jul 31, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, though I did leave a question inline.

.../springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
}

private Map<Class<?>, Object> createSharedObjects() {
Map<Class<?>, Object> sharedObjects = new HashMap<>();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are the consequences of not adding the other shared objects that WebSecurityConfigurerAdapter adds?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that the WebSecurityConfigurerAdapter adds the additional shared objects because they may be overridden within that class, for example using configure(AuthenticationManagerBuilder auth).
When using the SecurityFilterChain bean, you would need to expose a UserDetailsService bean and I confirmed that the UserDetailsService is used even if it's not explicitly added to the shared objects here.
It was similar for the ContentNegotiationStrategy and AuthenticationTrustResolver.

@eleftherias eleftherias merged commit aeafe04 into spring-projects:master Aug 5, 2020
@eleftherias eleftherias added this to the 5.4.0-RC1 milestone Aug 5, 2020
@eleftherias eleftherias added the status: duplicate A duplicate of another issue label Aug 5, 2020
@jzheaux jzheaux mentioned this pull request Sep 23, 2020
Closed
@jzheaux jzheaux mentioned this pull request Dec 18, 2020
Closed
@imod
Copy link

imod commented Dec 22, 2020

I see the value to use the SecurityFilterChain, but how do I register multiple AuthenticationProvider with this approach?

With the adapter I could simply do:

	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.authenticationProvider(new Provider1());
		auth.authenticationProvider(new Provider2());
		auth.authenticationProvider(new Provider3());
	}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux left review comments

@rwinch rwinch rwinch approved these changes

Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-RC1
Development

Successfully merging this pull request may close these issues.

Configure HTTP Security without extending WebSecurityConfigurerAdapter
4 participants
@eleftherias @rwinch @imod @jzheaux