2 месяцев назад · 45a1447e9b
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -103,6 +103,8 @@ import org.springframework.web.cors.CorsConfiguration;
 
				 import org.springframework.web.filter.CorsFilter;
			
 
				 import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * A {@link HttpSecurity} is similar to Spring Security's XML &lt;http&gt; element in the
			
 
				  * namespace configuration. It allows configuring web based security for specific http
			
@@ -219,8 +221,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	/**
			
 
				 	 * Adds the Security headers to the response. This is activated by default when using
			
 
				 	 * {@link EnableWebSecurity}. Accepting the default provided by
			
 
				-	 * {@link EnableWebSecurity} or only invoking {@link #headers()} without invoking
			
 
				-	 * additional methods on it, is the equivalent of:
			
 
				+	 * {@link EnableWebSecurity} or only invoking {@link #headers(withDefaults())} without
			
 
				+	 * invoking additional methods on it, is the equivalent of:
			
 
				 	 *
			
 
				 	 * <pre>
			
 
				 	 * &#064;Configuration
			
@@ -266,8 +268,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 *
			
 
				 	 * You can enable only a few of the headers by first invoking
			
 
				 	 * {@link HeadersConfigurer#defaultsDisabled()} and then invoking the appropriate
			
 
				-	 * methods on the {@link #headers()} result. For example, the following will enable
			
 
				-	 * {@link HeadersConfigurer#cacheControl()} and
			
 
				+	 * methods on the {@link #headers(withDefaults())} result. For example, the following
			
 
				+	 * will enable {@link HeadersConfigurer#cacheControl()} and
			
 
				 	 * {@link HeadersConfigurer#frameOptions()} only.
			
 
				 	 *
			
 
				 	 * <pre>
			
@@ -331,7 +333,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * <h2>Example Configurations</h2>
			
 
				 	 *
			
 
				 	 * Accepting the default provided by {@link EnableWebSecurity} or only invoking
			
 
				-	 * {@link #headers()} without invoking additional methods on it, is the equivalent of:
			
 
				+	 * {@link #headers(Customizer)} without invoking additional methods on it, is the
			
 
				+	 * equivalent of:
			
 
				 	 *
			
 
				 	 * <pre>
			
 
				 	 * &#064;Configuration
			
@@ -372,9 +375,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 *
			
 
				 	 * You can enable only a few of the headers by first invoking
			
 
				 	 * {@link HeadersConfigurer#defaultsDisabled()} and then invoking the appropriate
			
 
				-	 * methods on the {@link #headers()} result. For example, the following will enable
			
 
				-	 * {@link HeadersConfigurer#cacheControl()} and
			
 
				-	 * {@link HeadersConfigurer#frameOptions()} only.
			
 
				+	 * methods on the {@link #headers(Customizer)} result. For example, the following will
			
 
				+	 * enable {@link HeadersConfigurer#cacheControl(Customizer)} and
			
 
				+	 * {@link HeadersConfigurer#frameOptions(Customizer)} only.
			
 
				 	 *
			
 
				 	 * <pre>
			
 
				 	 * &#064;Configuration
			
@@ -397,7 +400,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 *
			
 
				 	 * You can also choose to keep the defaults but explicitly disable a subset of
			
 
				 	 * headers. For example, the following will enable all the default headers except
			
 
				-	 * {@link HeadersConfigurer#frameOptions()}.
			
 
				+	 * {@link HeadersConfigurer#frameOptions(Customizer)}.
			
 
				 	 *
			
 
				 	 * <pre>
			
 
				 	 * &#064;Configuration
			
@@ -615,9 +618,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * {@link HttpSecurity#getSharedObject(Class)}. Other provided
			
 
				 	 * {@link SecurityConfigurer} objects use this configured {@link PortMapper} as a
			
 
				 	 * default {@link PortMapper} when redirecting from HTTP to HTTPS or from HTTPS to
			
 
				-	 * HTTP (for example when used in combination with {@link #requiresChannel()}. By
			
 
				-	 * default Spring Security uses a {@link PortMapperImpl} which maps the HTTP port 8080
			
 
				-	 * to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
			
 
				+	 * HTTP (for example when used in combination with
			
 
				+	 * {@link #requiresChannel(Customizer)} )}. By default Spring Security uses a
			
 
				+	 * {@link PortMapperImpl} which maps the HTTP port 8080 to the HTTPS port 8443 and the
			
 
				+	 * HTTP port of 80 to the HTTPS port of 443.
			
 
				 	 *
			
 
				 	 * <h2>Example Configuration</h2>
			
 
				 	 *
			
@@ -657,7 +661,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * <a href=
			
 
				 	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
			
 
				 	 * for more details.
			
 
				-	 * @see #requiresChannel()
			
 
				+	 * @see #requiresChannel(withDefaults())
			
 
				 	 */
			
 
				 	@Deprecated(since = "6.1", forRemoval = true)
			
 
				 	public PortMapperConfigurer<HttpSecurity> portMapper() throws Exception {
			
@@ -669,9 +673,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * {@link HttpSecurity#getSharedObject(Class)}. Other provided
			
 
				 	 * {@link SecurityConfigurer} objects use this configured {@link PortMapper} as a
			
 
				 	 * default {@link PortMapper} when redirecting from HTTP to HTTPS or from HTTPS to
			
 
				-	 * HTTP (for example when used in combination with {@link #requiresChannel()}. By
			
 
				-	 * default Spring Security uses a {@link PortMapperImpl} which maps the HTTP port 8080
			
 
				-	 * to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
			
 
				+	 * HTTP (for example when used in combination with
			
 
				+	 * {@link #requiresChannel(withDefaults())}. By default Spring Security uses a
			
 
				+	 * {@link PortMapperImpl} which maps the HTTP port 8080 to the HTTPS port 8443 and the
			
 
				+	 * HTTP port of 80 to the HTTPS port of 443.
			
 
				 	 *
			
 
				 	 * <h2>Example Configuration</h2>
			
 
				 	 *
			
@@ -714,7 +719,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * {@link PortMapperConfigurer}
			
 
				 	 * @return the {@link HttpSecurity} for further customizations
			
 
				 	 * @throws Exception
			
 
				-	 * @see #requiresChannel()
			
 
				+	 * @see #requiresChannel(Customizer)
			
 
				 	 */
			
 
				 	public HttpSecurity portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer)
			
 
				 			throws Exception {
			
@@ -1776,7 +1781,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * Provides logout support. This is automatically applied when using
			
 
				 	 * {@link EnableWebSecurity}. The default is that accessing the URL "/logout" will log
			
 
				 	 * the user out by invalidating the HTTP Session, cleaning up any
			
 
				-	 * {@link #rememberMe()} authentication that was configured, clearing the
			
 
				+	 * {@link #rememberMe(Customizer)} authentication that was configured, clearing the
			
 
				 	 * {@link SecurityContextHolder}, and then redirect to "/login?success".
			
 
				 	 *
			
 
				 	 * <h2>Example Custom Configuration</h2>
			
@@ -1827,8 +1832,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * Provides logout support. This is automatically applied when using
			
 
				 	 * {@link EnableWebSecurity}. The default is that accessing the URL "/logout" will log
			
 
				 	 * the user out by invalidating the HTTP Session, cleaning up any
			
 
				-	 * {@link #rememberMe()} authentication that was configured, clearing the
			
 
				-	 * {@link SecurityContextHolder}, and then redirect to "/login?success".
			
 
				+	 * {@link #rememberMe(withDefaults())} authentication that was configured, clearing
			
 
				+	 * the {@link SecurityContextHolder}, and then redirect to "/login?success".
			
 
				 	 *
			
 
				 	 * <h2>Example Custom Configuration</h2>
			
 
				 	 *
			
@@ -2499,7 +2504,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
				 	 * {@link RelyingPartyRegistration}(s) are composed within a
			
 
				 	 * {@link RelyingPartyRegistrationRepository}, which is <b>required</b> and must be
			
 
				 	 * registered with the {@link ApplicationContext} or configured via
			
 
				-	 * {@link #saml2Login()}.<br>
			
 
				+	 * {@link #saml2Login(withDefaults())}.<br>
			
 
				 	 * <br>
			
 
				 	 *
			
 
				 	 * The default configuration provides an auto-generated logout endpoint at
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
@@ -46,8 +46,9 @@ import org.springframework.security.web.SecurityFilterChain;
 
				  *
			
 
				  * 	&#064;Bean
			
 
				  * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
			
 
				- * 		http.authorizeHttpRequests().requestMatchers(&quot;/public/**&quot;).permitAll().anyRequest()
			
 
				- * 				.hasRole(&quot;USER&quot;).and()
			
 
				+ * 		http.authorizeHttpRequests((authorize) -&gt; authorize
			
 
				+ * 			.requestMatchers(&quot;/public/**&quot;).permitAll()
			
 
				+ * 			.anyRequest().hasRole(&quot;USER&quot;))
			
 
				  * 				// Possibly more configuration ...
			
 
				  * 				.formLogin() // enable form based log in
			
 
				  * 				// set permitAll for all URLs associated with Form Login
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java
@@ -21,6 +21,7 @@ import java.util.UUID;
 
				 
			
 
				 import org.springframework.security.authentication.AnonymousAuthenticationProvider;
			
 
				 import org.springframework.security.authentication.AuthenticationProvider;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.SecurityConfigurer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
@@ -57,7 +58,7 @@ public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#anonymous()
			
 
				+	 * @see HttpSecurity#anonymous(Customizer)
			
 
				 	 */
			
 
				 	public AnonymousConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java
@@ -43,6 +43,8 @@ import org.springframework.security.web.access.channel.SecureChannelProcessor;
 
				 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
			
 
				 import org.springframework.security.web.util.matcher.RequestMatcher;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * Adds channel security (i.e. requires HTTPS or HTTP) to an application. In order for
			
 
				  * {@link ChannelSecurityConfigurer} to be useful, at least one {@link RequestMatcher}
			
@@ -96,7 +98,7 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#requiresChannel()
			
 
				+	 * @see HttpSecurity#requiresChannel(Customizer)
			
 
				 	 */
			
 
				 	public ChannelSecurityConfigurer(ApplicationContext context) {
			
 
				 		this.REGISTRY = new ChannelRequestMatcherRegistry(context);
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java
@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.web.configurers;
 
				 
			
 
				 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
			
 
				 import org.springframework.context.ApplicationContext;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.util.Assert;
			
@@ -57,7 +58,7 @@ public class CorsConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHt
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				 	 *
			
 
				-	 * @see HttpSecurity#cors()
			
 
				+	 * @see HttpSecurity#cors(Customizer)
			
 
				 	 */
			
 
				 	public CorsConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
@@ -27,6 +27,7 @@ import jakarta.servlet.http.HttpServletResponse;
 
				 
			
 
				 import org.springframework.context.ApplicationContext;
			
 
				 import org.springframework.security.access.AccessDeniedException;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
@@ -56,6 +57,8 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
 
				 import org.springframework.util.Assert;
			
 
				 import org.springframework.util.StringUtils;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * Adds
			
 
				  * <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" >CSRF</a>
			
@@ -103,7 +106,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#csrf()
			
 
				+	 * @see HttpSecurity#csrf(Customizer)
			
 
				 	 */
			
 
				 	public CsrfConfigurer(ApplicationContext context) {
			
 
				 		this.context = context;
			
@@ -163,9 +166,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
				 	 *
			
 
				 	 * <pre>
			
 
				 	 * http
			
 
				-	 *     .csrf()
			
 
				-	 *         .ignoringRequestMatchers((request) -&gt; "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
			
 
				-	 *         .and()
			
 
				+	 *     .csrf((csrf) -&gt; csrf
			
 
				+	 *         .ignoringRequestMatchers((request) -&gt; "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))))
			
 
				 	 *     ...
			
 
				 	 * </pre>
			
 
				 	 *
			
@@ -191,9 +193,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
				 	 *
			
 
				 	 * <pre>
			
 
				 	 * http
			
 
				-	 *     .csrf()
			
 
				-	 *         .ignoringRequestMatchers("/sockjs/**")
			
 
				-	 *         .and()
			
 
				+	 *     .csrf((csrf) -&gt; csrf
			
 
				+	 *         .ignoringRequestMatchers("/sockjs/**"))
			
 
				 	 *     ...
			
 
				 	 * </pre>
			
 
				 	 *
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java
@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.web.configurers;
 
				 
			
 
				 import java.util.LinkedHashMap;
			
 
				 
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.security.web.AuthenticationEntryPoint;
			
@@ -76,7 +77,7 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#exceptionHandling()
			
 
				+	 * @see HttpSecurity#exceptionHandling(Customizer)
			
 
				 	 */
			
 
				 	public ExceptionHandlingConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
@@ -29,6 +29,7 @@ import org.springframework.security.access.SecurityConfig;
 
				 import org.springframework.security.access.expression.SecurityExpressionHandler;
			
 
				 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
			
 
				 import org.springframework.security.authentication.AuthenticationTrustResolver;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.ObjectPostProcessor;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
@@ -41,6 +42,8 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
 
				 import org.springframework.util.Assert;
			
 
				 import org.springframework.util.StringUtils;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * Adds URL based authorization based upon SpEL expressions to an application. At least
			
 
				  * one {@link org.springframework.web.bind.annotation.RequestMapping} needs to be mapped
			
@@ -77,7 +80,7 @@ import org.springframework.util.StringUtils;
 
				  * @author Yanming Zhou
			
 
				  * @author Ngoc Nhan
			
 
				  * @since 3.2
			
 
				- * @see org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests()
			
 
				+ * @see org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests(Customizer)
			
 
				  * @deprecated Use {@link AuthorizeHttpRequestsConfigurer} instead
			
 
				  */
			
 
				 @Deprecated
			
@@ -104,7 +107,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#authorizeRequests()
			
 
				+	 * @see HttpSecurity#authorizeRequests(Customizer)
			
 
				 	 */
			
 
				 	public ExpressionUrlAuthorizationConfigurer(ApplicationContext context) {
			
 
				 		GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBeanProvider(GrantedAuthorityDefaults.class)
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java
@@ -17,6 +17,7 @@
 
				 package org.springframework.security.config.annotation.web.configurers;
			
 
				 
			
 
				 import org.springframework.http.HttpMethod;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.RequestMatcherFactory;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
@@ -74,7 +75,7 @@ public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#formLogin()
			
 
				+	 * @see HttpSecurity#formLogin(Customizer)
			
 
				 	 */
			
 
				 	public FormLoginConfigurer() {
			
 
				 		super(new UsernamePasswordAuthenticationFilter(), null);
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@@ -48,6 +48,8 @@ import org.springframework.security.web.header.writers.frameoptions.XFrameOption
 
				 import org.springframework.security.web.util.matcher.RequestMatcher;
			
 
				 import org.springframework.util.Assert;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * <p>
			
 
				  * Adds the Security HTTP headers to the response. Security HTTP headers is activated by
			
@@ -111,7 +113,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				 	 *
			
 
				-	 * @see HttpSecurity#headers()
			
 
				+	 * @see HttpSecurity#headers(Customizer)
			
 
				 	 */
			
 
				 	public HeadersConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
@@ -26,6 +26,7 @@ import org.springframework.http.HttpStatus;
 
				 import org.springframework.http.MediaType;
			
 
				 import org.springframework.security.authentication.AuthenticationDetailsSource;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.security.web.AuthenticationEntryPoint;
			
@@ -98,7 +99,7 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#httpBasic()
			
 
				+	 * @see HttpSecurity#httpBasic(Customizer)
			
 
				 	 */
			
 
				 	public HttpBasicConfigurer() {
			
 
				 		realmName(DEFAULT_REALM);
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurer.java
@@ -22,6 +22,7 @@ import java.util.Set;
 
				 import jakarta.servlet.http.HttpServletRequest;
			
 
				 
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.security.core.authority.mapping.SimpleMappableAttributesRetriever;
			
@@ -77,7 +78,7 @@ public final class JeeConfigurer<H extends HttpSecurityBuilder<H>> extends Abstr
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#jee()
			
 
				+	 * @see HttpSecurity#jee(Customizer)
			
 
				 	 */
			
 
				 	public JeeConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
@@ -23,6 +23,7 @@ import java.util.List;
 
				 import jakarta.servlet.http.HttpSession;
			
 
				 
			
 
				 import org.springframework.http.HttpMethod;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.SecurityConfigurer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.RequestMatcherFactory;
			
@@ -92,7 +93,7 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#logout()
			
 
				+	 * @see HttpSecurity#logout(Customizer)
			
 
				 	 */
			
 
				 	public LogoutConfigurer() {
			
 
				 	}
			
@@ -150,7 +151,7 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 
				 	 * @param logoutUrl the URL that will invoke logout.
			
 
				 	 * @return the {@link LogoutConfigurer} for further customization
			
 
				 	 * @see #logoutRequestMatcher(RequestMatcher)
			
 
				-	 * @see HttpSecurity#csrf()
			
 
				+	 * @see HttpSecurity#csrf(Customizer)
			
 
				 	 */
			
 
				 	public LogoutConfigurer<H> logoutUrl(String logoutUrl) {
			
 
				 		this.logoutRequestMatcher = null;
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java
@@ -16,6 +16,7 @@
 
				 
			
 
				 package org.springframework.security.config.annotation.web.configurers;
			
 
				 
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.security.config.http.SessionCreationPolicy;
			
@@ -70,7 +71,7 @@ public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#securityContext()
			
 
				+	 * @see HttpSecurity#securityContext(Customizer)
			
 
				 	 */
			
 
				 	public SecurityContextConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java
@@ -23,6 +23,7 @@ import jakarta.servlet.http.HttpServletRequest;
 
				 import org.springframework.context.ApplicationContext;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				 import org.springframework.security.authentication.AuthenticationTrustResolver;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.security.config.core.GrantedAuthorityDefaults;
			
@@ -66,7 +67,7 @@ public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#servletApi()
			
 
				+	 * @see HttpSecurity#servletApi(Customizer)
			
 
				 	 */
			
 
				 	public ServletApiConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@@ -66,6 +66,8 @@ import org.springframework.security.web.session.SimpleRedirectSessionInformation
 
				 import org.springframework.util.Assert;
			
 
				 import org.springframework.util.CollectionUtils;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * Allows configuring session management.
			
 
				  *
			
@@ -152,7 +154,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#sessionManagement()
			
 
				+	 * @see HttpSecurity#sessionManagement(Customizer)
			
 
				 	 */
			
 
				 	public SessionManagementConfigurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
@@ -21,6 +21,7 @@ import jakarta.servlet.http.HttpServletRequest;
 
				 import org.springframework.context.ApplicationContext;
			
 
				 import org.springframework.security.authentication.AuthenticationDetailsSource;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.security.core.Authentication;
			
@@ -90,7 +91,7 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>>
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				 	 *
			
 
				-	 * @see HttpSecurity#x509()
			
 
				+	 * @see HttpSecurity#x509(Customizer)
			
 
				 	 */
			
 
				 	public X509Configurer() {
			
 
				 	}
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@@ -104,6 +104,8 @@ import org.springframework.util.Assert;
 
				 import org.springframework.util.ClassUtils;
			
 
				 import org.springframework.util.ReflectionUtils;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * An {@link AbstractHttpConfigurer} for OAuth 2.0 Login, which leverages the OAuth 2.0
			
 
				  * Authorization Code Grant Flow.
			
@@ -155,7 +157,7 @@ import org.springframework.util.ReflectionUtils;
 
				  * @author Kazuki Shimizu
			
 
				  * @author Ngoc Nhan
			
 
				  * @since 5.0
			
 
				- * @see HttpSecurity#oauth2Login()
			
 
				+ * @see HttpSecurity#oauth2Login(Customizer)
			
 
				  * @see OAuth2AuthorizationRequestRedirectFilter
			
 
				  * @see OAuth2LoginAuthenticationFilter
			
 
				  * @see ClientRegistrationRepository
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
@@ -27,6 +27,7 @@ import org.opensaml.core.Version;
 
				 import org.springframework.context.ApplicationContext;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				 import org.springframework.security.authentication.AuthenticationProvider;
			
 
				+import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
 
				 import org.springframework.security.config.annotation.web.RequestMatcherFactory;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
@@ -111,7 +112,7 @@ import org.springframework.util.StringUtils;
 
				  * </ul>
			
 
				  *
			
 
				  * @since 5.2
			
 
				- * @see HttpSecurity#saml2Login()
			
 
				+ * @see HttpSecurity#saml2Login(Customizer)
			
 
				  * @see Saml2WebSsoAuthenticationFilter
			
 
				  * @see Saml2WebSsoAuthenticationRequestFilter
			
 
				  * @see RelyingPartyRegistrationRepository
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java
@@ -71,6 +71,8 @@ import org.springframework.security.web.util.matcher.AndRequestMatcher;
 
				 import org.springframework.security.web.util.matcher.ParameterRequestMatcher;
			
 
				 import org.springframework.security.web.util.matcher.RequestMatcher;
			
 
				 
			
 
				+import static org.springframework.security.config.Customizer.withDefaults;
			
 
				+
			
 
				 /**
			
 
				  * Adds SAML 2.0 logout support.
			
 
				  *
			
@@ -135,7 +137,7 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance
			
 
				-	 * @see HttpSecurity#logout()
			
 
				+	 * @see HttpSecurity#logout(Customizer)
			
 
				 	 */
			
 
				 	public Saml2LogoutConfigurer(ApplicationContext context) {
			
 
				 		this.context = context;
			
@@ -158,7 +160,7 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 
				 	 * @param logoutUrl the URL that will invoke logout
			
 
				 	 * @return the {@link LogoutConfigurer} for further customizations
			
 
				 	 * @see LogoutConfigurer#logoutUrl(String)
			
 
				-	 * @see HttpSecurity#csrf()
			
 
				+	 * @see HttpSecurity#csrf(Customizer)
			
 
				 	 */
			
 
				 	public Saml2LogoutConfigurer<H> logoutUrl(String logoutUrl) {
			
 
				 		this.logoutUrl = logoutUrl;