Remove usage of WebSecurityConfigurerAdapter

Switch to expose a SecurityFilterChain Bean

Closes gh-52

servlet/java-configuration/authentication/preauth/src/main/java/example/SecurityConfiguration.java

@@ -18,26 +18,27 @@ package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	// @formatter:off
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.antMatchers("/login", "/resources/**").permitAll()
-				.anyRequest().authenticated()
-			)
-			.jee((jee) -> jee.mappableRoles("USER", "ADMIN"));
+				.authorizeHttpRequests((authorize) -> authorize
+						.antMatchers("/login", "/resources/**").permitAll()
+						.anyRequest().authenticated()
+				)
+				.jee((jee) -> jee.mappableRoles("USER", "ADMIN"));
+		// @formatter:on
+		return http.build();
 	}
-	// @formatter:on
 
 	// @formatter:off
 	@Bean

servlet/java-configuration/authentication/remember-me/src/main/java/example/SecurityConfiguration.java

@@ -18,31 +18,30 @@ package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-
-import static org.springframework.security.config.Customizer.withDefaults;
+import org.springframework.security.web.SecurityFilterChain;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Override
-	// @formatter:off
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, UserDetailsService users) throws Exception {
+		// @formatter:off
 		http
-			.authorizeRequests((authorize) -> authorize
-				.anyRequest().authenticated()
-			)
-			.formLogin((form) -> form
-				.loginPage("/login")
-				.permitAll()
-			)
-			.rememberMe(withDefaults());
+				.authorizeRequests((authorize) -> authorize
+						.anyRequest().authenticated()
+				)
+				.formLogin((form) -> form
+						.loginPage("/login")
+						.permitAll()
+				)
+				.rememberMe((rememberMe) -> rememberMe.userDetailsService(users));
+		// @formatter:on
+		return http.build();
 	}
-	// @formatter:on
 
 	// @formatter:off
 	@Bean

servlet/java-configuration/authentication/username-password/form/src/main/java/example/SecurityConfiguration.java

@@ -18,28 +18,29 @@ package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Override
-	// @formatter:off
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
 		http
-			.authorizeRequests((authorize) -> authorize
-				.anyRequest().authenticated()
-			)
-			.formLogin((form) -> form
-				.loginPage("/login")
-				.permitAll()
-			);
+				.authorizeRequests((authorize) -> authorize
+						.anyRequest().authenticated()
+				)
+				.formLogin((form) -> form
+						.loginPage("/login")
+						.permitAll()
+				);
+		// @formatter:on
+		return http.build();
 	}
-	// @formatter:on
 
 	// @formatter:off
 	@Bean

servlet/java-configuration/authentication/username-password/in-memory/src/main/java/example/SecurityConfiguration.java

@@ -17,14 +17,13 @@ package example;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
 	// @formatter:off
 	@Bean

servlet/java-configuration/authentication/username-password/jdbc/src/main/java/example/DataSourceConfiguration.java

@@ -34,7 +34,8 @@ public class DataSourceConfiguration {
 	@Bean
 	public DataSource dataSource() {
 		EmbeddedDatabaseBuilder builder = new EmbeddedDatabaseBuilder();
-		return builder.setType(EmbeddedDatabaseType.HSQL).build();
+		return builder.setType(EmbeddedDatabaseType.HSQL)
+				.addScript("classpath:org/springframework/security/core/userdetails/jdbc/users.ddl").build();
 	}
 
 }

servlet/java-configuration/authentication/username-password/jdbc/src/main/java/example/SecurityConfiguration.java

@@ -17,28 +17,27 @@ package example;
 
 import javax.sql.DataSource;
 
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.JdbcUserDetailsManager;
+import org.springframework.security.provisioning.UserDetailsManager;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Autowired
-	DataSource dataSource;
-
-	// @formatter:off
-	@Autowired
-	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-		auth
-				.jdbcAuthentication()
-				.dataSource(this.dataSource)
-				.withDefaultSchema()
-				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"))
-				.withUser(User.withDefaultPasswordEncoder().username("admin").password("password").roles("ADMIN", "USER"));
+	@Bean
+	UserDetailsManager users(DataSource dataSource) {
+		UserDetails user = User.builder().username("user")
+				.password("{bcrypt}$2a$10$AiyMWI4UBLozgXq6itzyVuxrtofjcPzn/WS3fOrcqgzdax9jB7Io.").roles("USER").build();
+		UserDetails admin = User.builder().username("admin")
+				.password("{bcrypt}$2a$10$AiyMWI4UBLozgXq6itzyVuxrtofjcPzn/WS3fOrcqgzdax9jB7Io.").roles("USER", "ADMIN")
+				.build();
+		JdbcUserDetailsManager users = new JdbcUserDetailsManager(dataSource);
+		users.createUser(user);
+		users.createUser(admin);
+		return users;
 	}
-	// @formatter:on
 
 }

servlet/java-configuration/authentication/x509/src/main/java/example/SecurityConfiguration.java

@@ -18,27 +18,28 @@ package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Override
-	// @formatter:off
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().authenticated()
-			)
-			.x509(withDefaults());
+				.authorizeHttpRequests((authorize) -> authorize
+						.anyRequest().authenticated()
+				)
+				.x509(withDefaults());
+		// @formatter:on
+		return http.build();
 	}
-	// @formatter:on
 
 	// @formatter:off
 	@Bean

servlet/java-configuration/hello-mvc-security/src/main/java/example/SecurityConfiguration.java

@@ -18,28 +18,29 @@ package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Override
-	// @formatter:off
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().authenticated()
-			)
-			.httpBasic(withDefaults())
-			.formLogin(withDefaults());
+				.authorizeHttpRequests((authorize) -> authorize
+						.anyRequest().authenticated()
+				)
+				.httpBasic(withDefaults())
+				.formLogin(withDefaults());
+		// @formatter:on
+		return http.build();
 	}
-	// @formatter:on
 
 	// @formatter:off
 	@Bean

servlet/java-configuration/hello-security-explicit/src/main/java/example/SecurityConfiguration.java

@@ -18,28 +18,29 @@ package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
 @EnableWebSecurity
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
 
-	@Override
-	// @formatter:off
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().authenticated()
-			)
-			.httpBasic(withDefaults())
-			.formLogin(withDefaults());
+				.authorizeHttpRequests((authorize) -> authorize
+						.anyRequest().authenticated()
+				)
+				.httpBasic(withDefaults())
+				.formLogin(withDefaults());
+		// @formatter:on
+		return http.build();
 	}
-	// @formatter:on
 
 	// @formatter:off
 	@Bean

servlet/java-configuration/max-sessions/src/main/java/example/SecurityConfiguration.java

@@ -20,17 +20,35 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+				.authorizeHttpRequests((authorize) -> authorize
+						.anyRequest().authenticated()
+				)
+				.formLogin(withDefaults())
+				.sessionManagement((sessions) -> sessions
+						.sessionConcurrency((concurrency) -> concurrency
+								.maximumSessions(1)
+								.expiredUrl("/login?expired")
+						)
+				);
+		// @formatter:on
+		return http.build();
+	}
 
 	// @formatter:off
 	@Bean
@@ -44,21 +62,4 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
 	}
 	// @formatter:on
 
-	// @formatter:off
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
-		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().authenticated()
-			)
-			.formLogin(withDefaults())
-			.sessionManagement((sessions) -> sessions
-				.sessionConcurrency((concurrency) -> concurrency
-					.maximumSessions(1)
-					.expiredUrl("/login?expired")
-				)
-			);
-	}
-	// @formatter:on
-
 }

servlet/spring-boot/java/oauth2/resource-server/static/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java

@@ -19,35 +19,36 @@ import java.security.interfaces.RSAPublicKey;
 
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * OAuth2 Resource Server Configuration.
  *
  * @author Josh Cummings
  */
-@EnableWebSecurity
-public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
+@Configuration
+public class OAuth2ResourceServerSecurityConfiguration {
 
 	@Value("${spring.security.oauth2.resourceserver.jwt.key-value}")
 	RSAPublicKey key;
 
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.mvcMatchers("/message/**").hasAuthority("SCOPE_message:read")
-				.anyRequest().authenticated()
-			)
-			.oauth2ResourceServer((oauth2) -> oauth2
-				.jwt((jwt) -> jwt.decoder(jwtDecoder()))
-			);
+				.authorizeHttpRequests((authorize) -> authorize
+						.mvcMatchers("/message/**").hasAuthority("SCOPE_message:read")
+						.anyRequest().authenticated()
+				)
+				.oauth2ResourceServer((oauth2) -> oauth2
+						.jwt((jwt) -> jwt.decoder(jwtDecoder()))
+				);
 		// @formatter:on
+		return http.build();
 	}
 
 	@Bean