Use http security nested builder in docs

Issue: gh-5557

docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/mvc.adoc

@@ -104,8 +104,10 @@ If we wanted to restrict access to this controller method to admin users, a deve
 ----
 protected configure(HttpSecurity http) throws Exception {
 	http
-		.authorizeRequests()
-			.antMatchers("/admin").hasRole("ADMIN");
+		.authorizeRequests(authorizeRequests ->
+		    authorizeRequests
+			    .antMatchers("/admin").hasRole("ADMIN")
+		);
 }
 ----
 
@@ -133,8 +135,10 @@ The following configuration will protect the same URLs that Spring MVC will matc
 ----
 protected configure(HttpSecurity http) throws Exception {
 	http
-		.authorizeRequests()
-			.mvcMatchers("/admin").hasRole("ADMIN");
+		.authorizeRequests(authorizeRequests ->
+		    authorizeRequests
+			    .mvcMatchers("/admin").hasRole("ADMIN")
+		);
 }
 ----
 

docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc

@@ -16,15 +16,25 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.authorizationEndpoint()
-					...
-				.redirectionEndpoint()
-					...
-				.tokenEndpoint()
-					...
-				.userInfoEndpoint()
-					...
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .authorizationEndpoint(authorizationEndpoint ->
+			            authorizationEndpoint
+			                ...
+			        )
+			        .redirectionEndpoint(redirectionEndpoint ->
+			            redirectionEndpoint
+			                ...
+			        )
+			        .tokenEndpoint(tokenEndpoint ->
+			            tokenEndpoint
+			                ...
+			        )
+			        .userInfoEndpoint(userInfoEndpoint ->
+			            userInfoEndpoint
+			                ...
+			        )
+			);
 	}
 }
 ----
@@ -58,27 +68,34 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.clientRegistrationRepository(this.clientRegistrationRepository())
-				.authorizedClientRepository(this.authorizedClientRepository())
-				.authorizedClientService(this.authorizedClientService())
-				.loginPage("/login")
-				.authorizationEndpoint()
-					.baseUri(this.authorizationRequestBaseUri())
-					.authorizationRequestRepository(this.authorizationRequestRepository())
-					.authorizationRequestResolver(this.authorizationRequestResolver())
-					.and()
-				.redirectionEndpoint()
-					.baseUri(this.authorizationResponseBaseUri())
-					.and()
-				.tokenEndpoint()
-					.accessTokenResponseClient(this.accessTokenResponseClient())
-					.and()
-				.userInfoEndpoint()
-					.userAuthoritiesMapper(this.userAuthoritiesMapper())
-					.userService(this.oauth2UserService())
-					.oidcUserService(this.oidcUserService())
-					.customUserType(GitHubOAuth2User.class, "github");
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .clientRegistrationRepository(this.clientRegistrationRepository())
+			        .authorizedClientRepository(this.authorizedClientRepository())
+			        .authorizedClientService(this.authorizedClientService())
+			        .loginPage("/login")
+			        .authorizationEndpoint(authorizationEndpoint ->
+			            authorizationEndpoint
+			                .baseUri(this.authorizationRequestBaseUri())
+			                .authorizationRequestRepository(this.authorizationRequestRepository())
+			                .authorizationRequestResolver(this.authorizationRequestResolver())
+			        )
+			        .redirectionEndpoint(redirectionEndpoint ->
+			             redirectionEndpoint
+			                .baseUri(this.authorizationResponseBaseUri())
+			        )
+			        .tokenEndpoint(tokenEndpoint ->
+			            tokenEndpoint
+			                .accessTokenResponseClient(this.accessTokenResponseClient())
+			        )
+			        .userInfoEndpoint(userInfoEndpoint ->
+			            userInfoEndpoint
+			                .userAuthoritiesMapper(this.userAuthoritiesMapper())
+			                .userService(this.oauth2UserService())
+			                .oidcUserService(this.oidcUserService())
+			                .customUserType(GitHubOAuth2User.class, "github")
+			        )
+			);
 	}
 }
 ----
@@ -123,12 +140,16 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.loginPage("/login/oauth2")
-				...
-				.authorizationEndpoint()
-					.baseUri("/login/oauth2/authorization")
-					....
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .loginPage("/login/oauth2")
+			        ...
+			        .authorizationEndpoint(authorizationEndpoint ->
+			            authorizationEndpoint
+			                .baseUri("/login/oauth2/authorization")
+			                ...
+			        )
+			);
 	}
 }
 ----
@@ -171,10 +192,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.redirectionEndpoint()
-					.baseUri("/login/oauth2/callback/*")
-					....
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .redirectionEndpoint(redirectionEndpoint ->
+			            redirectionEndpoint
+			                .baseUri("/login/oauth2/callback/*")
+			                ...
+			        )
+			);
 	}
 }
 ----
@@ -234,10 +259,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.userInfoEndpoint()
-					.userAuthoritiesMapper(this.userAuthoritiesMapper())
-					...
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .userInfoEndpoint(userInfoEndpoint ->
+			            userInfoEndpoint
+			                .userAuthoritiesMapper(this.userAuthoritiesMapper())
+			                ...
+			        )
+			);
 	}
 
 	private GrantedAuthoritiesMapper userAuthoritiesMapper() {
@@ -280,7 +309,8 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
-		http.oauth2Login();
+		http
+		    .oauth2Login(withDefaults());
 	}
 
 	@Bean
@@ -308,10 +338,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.userInfoEndpoint()
-					.oidcUserService(this.oidcUserService())
-					...
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .userInfoEndpoint(userInfoEndpoint ->
+			            userInfoEndpoint
+			                .oidcUserService(this.oidcUserService())
+			                ...
+			        )
+			);
 	}
 
 	private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
@@ -355,10 +389,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.userInfoEndpoint()
-					.customUserType(GitHubOAuth2User.class, "github")
-					...
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .userInfoEndpoint(userInfoEndpoint ->
+			            userInfoEndpoint
+			                .customUserType(GitHubOAuth2User.class, "github")
+			                ...
+			        )
+			);
 	}
 }
 ----
@@ -469,10 +507,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.userInfoEndpoint()
-					.userService(this.oauth2UserService())
-					...
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+			        .userInfoEndpoint(userInfoEndpoint ->
+			            userInfoEndpoint
+			                .userService(this.oauth2UserService())
+			                ...
+			        )
+			);
 	}
 
 	private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
@@ -501,10 +543,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Login()
-				.userInfoEndpoint()
-					.oidcUserService(this.oidcUserService())
-					...
+			.oauth2Login(oauth2Login ->
+			    oauth2Login
+				    .userInfoEndpoint(userInfoEndpoint ->
+				        userInfoEndpoint
+				            .oidcUserService(this.oidcUserService())
+			                ...
+			        )
+			);
 	}
 
 	private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {

docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc

@@ -169,9 +169,11 @@ or in Java configuration
 [source,java]
 ----
 http
-		.authorizeRequests()
-				.antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)")
-				...
+	.authorizeRequests(authorizeRequests ->
+	    authorizeRequests
+			.antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)")
+			...
+	);
 ----
 
 In both configurations URLs that match would pass in the path variable (and convert it) into checkUserId method.

docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc

@@ -137,12 +137,12 @@ How does Spring Security know that we want to require all users to be authentica
 ----
 protected void configure(HttpSecurity http) throws Exception {
 	http
-		.authorizeRequests()
-			.anyRequest().authenticated()
-			.and()
-		.formLogin()
-			.and()
-		.httpBasic();
+		.authorizeRequests(authorizeRequests ->
+		    authorizeRequests
+			    .anyRequest().authenticated()
+		)
+		.formLogin(withDefaults())
+		.httpBasic(withDefaults());
 }
 ----
 
@@ -163,10 +163,6 @@ You will notice that this configuration is quite similar the XML Namespace confi
 </http>
 ----
 
-The Java Configuration equivalent of closing an XML tag is expressed using the `and()` method which allows us to continue configuring the parent.
-If you read the code it also makes sense.
-I want to configure authorized requests __and__ configure form login __and__ configure HTTP Basic authentication.
-
 [[jc-form]]
 == Java Configuration and Form Login
 You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs.
@@ -180,12 +176,15 @@ To do so we can update our configuration as seen below:
 ----
 protected void configure(HttpSecurity http) throws Exception {
 	http
-		.authorizeRequests()
-			.anyRequest().authenticated()
-			.and()
-		.formLogin()
-			.loginPage("/login") // <1>
-			.permitAll();        // <2>
+		.authorizeRequests(authorizeRequests ->
+		    authorizeRequests
+			    .anyRequest().authenticated()
+		)
+		.formLogin(formLogin ->
+		    formLogin
+			    .loginPage("/login") // <1>
+			    .permitAll()         // <2>
+	    );
 }
 ----
 
@@ -245,14 +244,14 @@ For example:
 ----
 protected void configure(HttpSecurity http) throws Exception {
 	http
-		.authorizeRequests()                                                                <1>
-			.antMatchers("/resources/**", "/signup", "/about").permitAll()                  <2>
-			.antMatchers("/admin/**").hasRole("ADMIN")                                      <3>
-			.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")            <4>
-			.anyRequest().authenticated()                                                   <5>
-			.and()
-		// ...
-		.formLogin();
+		.authorizeRequests(authorizeRequests ->                                        // <1>
+		    authorizeRequests
+			    .antMatchers("/resources/**", "/signup", "/about").permitAll()         // <2>
+			    .antMatchers("/admin/**").hasRole("ADMIN")                             // <3>
+			    .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")   // <4>
+			    .anyRequest().authenticated()                                          // <5>
+		)
+		.formLogin(withDefaults());
 }
 ----
 
@@ -282,14 +281,15 @@ Similar to configuring login capabilities, however, you also have various option
 ----
 protected void configure(HttpSecurity http) throws Exception {
 	http
-		.logout()                                                                <1>
-			.logoutUrl("/my/logout")                                                 <2>
-			.logoutSuccessUrl("/my/index")                                           <3>
-			.logoutSuccessHandler(logoutSuccessHandler)                              <4>
-			.invalidateHttpSession(true)                                             <5>
-			.addLogoutHandler(logoutHandler)                                         <6>
-			.deleteCookies(cookieNamesToClear)                                       <7>
-			.and()
+		.logout(logout ->                                                       // <1>
+		    logout
+			    .logoutUrl("/my/logout")                                        // <2>
+			    .logoutSuccessUrl("/my/index")                                  // <3>
+			    .logoutSuccessHandler(logoutSuccessHandler)                     // <4>
+			    .invalidateHttpSession(true)                                    // <5>
+			    .addLogoutHandler(logoutHandler)                                // <6>
+			    .deleteCookies(cookieNamesToClear)                              // <7>
+		)
 		...
 }
 ----
@@ -510,11 +510,14 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou
 ```java
 protected void configure(HttpSecurity http) {
     http
-        .authorizeRequests()
-            .anyRequest().authenticated()
-            .and()
-        .oauth2ResourceServer()
-            .jwt();
+        .authorizeRequests(authorizeRequests ->
+            authorizeRequests
+                .anyRequest().authenticated()
+        )
+        .oauth2ResourceServer(oauth2ResourceServer ->
+            oauth2ResourceServer
+                .jwt(withDefaults())
+        );
 }
 ```
 
@@ -527,13 +530,18 @@ Replacing this is as simple as exposing the bean within the application:
 public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) {
         http
-            .authorizeRequests()
-                .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
-                .anyRequest().authenticated()
-                .and()
-            .oauth2ResourceServer()
-                .jwt()
-                    .jwtAuthenticationConverter(myConverter());
+            .authorizeRequests(authorizeRequests ->
+                authorizeRequests
+                    .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
+                    .anyRequest().authenticated()
+            )
+            .oauth2ResourceServer(oauth2ResourceServer ->
+                oauth2ResourceServer
+                    .jwt(jwt ->
+                        jwt
+                            .jwtAuthenticationConverter(myConverter())
+                    )
+            );
     }
 }
 ```
@@ -565,12 +573,17 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
 public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) {
         http
-            .authorizeRequests()
-                .anyRequest().authenticated()
-                .and()
-            .oauth2ResourceServer()
-                .jwt()
-                    .jwkSetUri("https://idp.example.com/.well-known/jwks.json");
+            .authorizeRequests(authorizeRequests ->
+                authorizeRequests
+                    .anyRequest().authenticated()
+            )
+            .oauth2ResourceServer(oauth2ResourceServer ->
+                oauth2ResourceServer
+                    .jwt(jwt ->
+                        jwt
+                            .jwkSetUri("https://idp.example.com/.well-known/jwks.json")
+                    )
+            );
     }
 }
 ```
@@ -587,12 +600,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
 public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) {
         http
-            .authorizeRequests()
-                .anyRequest().authenticated()
-                .and()
-            .oauth2ResourceServer()
-                .jwt()
-                    .decoder(myCustomDecoder());
+            .authorizeRequests(authorizeRequests ->
+                authorizeRequests
+                    .anyRequest().authenticated()
+            )
+            .oauth2ResourceServer(oauth2ResourceServer ->
+                oauth2ResourceServer
+                    .jwt(jwt ->
+                        jwt
+                            .decoder(myCustomDecoder())
+                    )
+            );
     }
 }
 ```
@@ -627,13 +645,16 @@ This means that to protect an endpoint or method with a scope derived from a JWT
 public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) {
         http
-            .authorizeRequests()
-                .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
-                .mvcMatchers("/messages/**").hasAuthority("SCOPE_messages")
-                .anyRequest().authenticated()
-                .and()
-            .oauth2ResourceServer()
-                .jwt();
+            .authorizeRequests(authorizeRequests ->
+                authorizeRequests
+                    .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
+                    .mvcMatchers("/messages/**").hasAuthority("SCOPE_messages")
+                    .anyRequest().authenticated()
+            )
+            .oauth2ResourceServer(oauth2ResourceServer ->
+                oauth2ResourceServer
+                    .jwt(withDefaults())
+            );
     }
 }
 ```
@@ -659,12 +680,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
 public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) {
         http
-            .authorizeRequests()
-                .anyRequest().authenticated()
-                .and()
-            .oauth2ResourceServer()
-                .jwt()
-                    .jwtAuthenticationConverter(grantedAuthoritiesExtractor());
+            .authorizeRequests(authorizeRequests ->
+                authorizeRequests
+                    .anyRequest().authenticated()
+            )
+            .oauth2ResourceServer(oauth2ResourceServer ->
+                oauth2ResourceServer
+                    .jwt(jwt ->
+                        jwt
+                            .jwtAuthenticationConverter(grantedAuthoritiesExtractor())
+                    )
+            );
     }
 }
 
@@ -1078,10 +1104,11 @@ public class MultiHttpSecurityConfig {
 		protected void configure(HttpSecurity http) throws Exception {
 			http
 				.antMatcher("/api/**")                               <3>
-				.authorizeRequests()
-					.anyRequest().hasRole("ADMIN")
-					.and()
-				.httpBasic();
+				.authorizeRequests(authorizeRequests ->
+				    authorizeRequests
+					    .anyRequest().hasRole("ADMIN")
+			    )
+				.httpBasic(withDefaults());
 		}
 	}
 
@@ -1091,10 +1118,11 @@ public class MultiHttpSecurityConfig {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			http
-				.authorizeRequests()
-					.anyRequest().authenticated()
-					.and()
-				.formLogin();
+				.authorizeRequests(authorizeRequests ->
+				    authorizeRequests
+					    .anyRequest().authenticated()
+				)
+				.formLogin(withDefaults());
 		}
 	}
 }
@@ -1221,15 +1249,17 @@ For example, if you wanted to configure the `filterSecurityPublishAuthorizationS
 @Override
 protected void configure(HttpSecurity http) throws Exception {
 	http
-		.authorizeRequests()
-			.anyRequest().authenticated()
-			.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
-				public <O extends FilterSecurityInterceptor> O postProcess(
-						O fsi) {
-					fsi.setPublishAuthorizationSuccess(true);
-					return fsi;
-				}
-			});
+		.authorizeRequests(authorizeRequests ->
+			authorizeRequests
+				.anyRequest().authenticated()
+				.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
+					public <O extends FilterSecurityInterceptor> O postProcess(
+							O fsi) {
+						fsi.setPublishAuthorizationSuccess(true);
+						return fsi;
+					}
+				})
+		);
 }
 ----
 

docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc

@@ -20,14 +20,18 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Client()
-				.clientRegistrationRepository(this.clientRegistrationRepository())
-				.authorizedClientRepository(this.authorizedClientRepository())
-				.authorizedClientService(this.authorizedClientService())
-				.authorizationCodeGrant()
-					.authorizationRequestRepository(this.authorizationRequestRepository())
-					.authorizationRequestResolver(this.authorizationRequestResolver())
-					.accessTokenResponseClient(this.accessTokenResponseClient());
+			.oauth2Client(oauth2Client ->
+			    oauth2Client
+				    .clientRegistrationRepository(this.clientRegistrationRepository())
+				    .authorizedClientRepository(this.authorizedClientRepository())
+				    .authorizedClientService(this.authorizedClientService())
+				    .authorizationCodeGrant(authorizationCodeGrant ->
+					    authorizationCodeGrant
+						    .authorizationRequestRepository(this.authorizationRequestRepository())
+						    .authorizationRequestResolver(this.authorizationRequestResolver())
+						    .accessTokenResponseClient(this.accessTokenResponseClient())
+				    )
+			);
 	}
 }
 ----
@@ -245,10 +249,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Client()
-				.authorizationCodeGrant()
-					.authorizationRequestRepository(this.cookieAuthorizationRequestRepository())
-					...
+			.oauth2Client(oauth2Client ->
+			    oauth2Client
+				    .authorizationCodeGrant(authorizationCodeGrant ->
+				        authorizationCodeGrant
+					        .authorizationRequestRepository(this.cookieAuthorizationRequestRepository())
+					        ...
+					)
+			);
 	}
 
 	private AuthorizationRequestRepository<OAuth2AuthorizationRequest> cookieAuthorizationRequestRepository() {
@@ -285,14 +293,19 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.authorizeRequests()
-				.anyRequest().authenticated()
-				.and()
-			.oauth2Login()
-				.authorizationEndpoint()
-					.authorizationRequestResolver(
-							new CustomAuthorizationRequestResolver(
-									this.clientRegistrationRepository));    <1>
+			.authorizeRequests(authorizeRequests ->
+			    authorizeRequests
+				    .anyRequest().authenticated()
+			)
+			.oauth2Login(oauth2Login ->
+				oauth2Login
+					.authorizationEndpoint(authorizationEndpoint ->
+						authorizationEndpoint
+							.authorizationRequestResolver(
+							    new CustomAuthorizationRequestResolver(
+							            this.clientRegistrationRepository))    <1>
+					)
+			);
 	}
 }
 
@@ -422,10 +435,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.oauth2Client()
-				.authorizationCodeGrant()
-					.accessTokenResponseClient(this.customAccessTokenResponseClient())
-					...
+			.oauth2Client(oauth2Client ->
+			    oauth2Client
+				    .authorizationCodeGrant(authorizationCodeGrant ->
+				        authorizationCodeGrant
+					        .accessTokenResponseClient(this.customAccessTokenResponseClient())
+					        ...
+					 )
+			);
 	}
 
 	private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> customAccessTokenResponseClient() {

docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc

@@ -285,10 +285,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.authorizeRequests()
-				.anyRequest().authenticated()
-				.and()
-			.oauth2Login();
+			.authorizeRequests(authorizeRequests ->
+			    authorizeRequests
+				    .anyRequest().authenticated()
+			)
+			.oauth2Login(withDefaults());
 	}
 }
 ----
@@ -310,10 +311,11 @@ public class OAuth2LoginConfig {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			http
-				.authorizeRequests()
-					.anyRequest().authenticated()
-					.and()
-				.oauth2Login();
+				.authorizeRequests(authorizeRequests ->
+				    authorizeRequests
+					    .anyRequest().authenticated()
+				)
+				.oauth2Login(withDefaults());
 		}
 	}
 
@@ -358,10 +360,11 @@ public class OAuth2LoginConfig {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			http
-				.authorizeRequests()
-					.anyRequest().authenticated()
-					.and()
-				.oauth2Login();
+				.authorizeRequests(authorizeRequests ->
+				    authorizeRequests
+					    .anyRequest().authenticated()
+				)
+				.oauth2Login(withDefaults());
 		}
 	}
 

docs/manual/src/docs/asciidoc/_includes/servlet/web/cors.adoc

@@ -18,7 +18,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	protected void configure(HttpSecurity http) throws Exception {
 		http
 			// by default uses a Bean by the name of corsConfigurationSource
-			.cors().and()
+			.cors(withDefaults())
 			...
 	}
 
@@ -59,7 +59,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 		http
 			// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
 			// Spring Security will use CORS configuration provided to Spring MVC
-			.cors().and()
+			.cors(withDefaults())
 			...
 	}
 }

docs/manual/src/docs/asciidoc/_includes/servlet/web/csrf.adoc

@@ -187,7 +187,9 @@ WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.csrf().disable();
+			.csrf(csrf ->
+			    csrf.disable()
+			);
 	}
 }
 ----
@@ -314,8 +316,10 @@ public class WebSecurityConfig extends
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.csrf()
-				.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+			.csrf(csrf ->
+			    csrf
+				    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+			);
 	}
 }
 ----
@@ -391,8 +395,10 @@ WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http
-			.logout()
-				.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
+			.logout(logout ->
+			    logout
+				    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
+			);
 	}
 }
 ----

docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc

@@ -60,9 +60,15 @@ public class WebSecurityConfig extends
 	protected void configure(HttpSecurity http) throws Exception {
 		http
 			// ...
-			.headers()
-				.frameOptions().sameOrigin()
-				.httpStrictTransportSecurity().disable();
+			.headers(headers ->
+			    headers
+				    .frameOptions(frameOptions ->
+				        frameOptions.sameOrigin()
+				    )
+				    .httpStrictTransportSecurity(hsts ->
+				        hsts.disable()
+				    )
+			);
 	}
 }
 ----
@@ -92,15 +98,17 @@ If you are using Spring Security's Java Configuration the following will only ad
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		// do not use any default headers unless explicitly listed
-		.defaultsDisabled()
-		.cacheControl();
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    // do not use any default headers unless explicitly listed
+                    .defaultsDisabled()
+                    .cacheControl(withDefaults())
+            );
+    }
 }
 ----
 
@@ -126,12 +134,14 @@ If necessary, you can disable all of the HTTP Security response headers with the
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers().disable();
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers.disable()
+            );
+    }
 }
 ----
 
@@ -182,14 +192,16 @@ Similarly, you can enable only cache control within Java Configuration with the
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.defaultsDisabled()
-		.cacheControl();
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .defaultsDisabled()
+                    .cacheControl(withDefaults())
+            );
+    }
 }
 ----
 
@@ -263,14 +275,16 @@ If you want more control over the headers, you can explicitly specify the conten
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.defaultsDisabled()
-		.contentTypeOptions();
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .defaultsDisabled()
+                    .contentTypeOptions(withDefaults())
+            );
+    }
 }
 ----
 
@@ -327,16 +341,20 @@ Similarly, you can enable only HSTS headers with Java Configuration:
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.httpStrictTransportSecurity()
-			.includeSubdomains(true)
-			.preload(true)
-			.maxAgeSeconds(31536000);
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .httpStrictTransportSecurity(hsts ->
+                        hsts
+                            .includeSubDomains(true)
+                            .preload(true)
+                            .maxAgeInSeconds(31536000)
+                    )
+            );
+    }
 }
 ----
 
@@ -399,16 +417,20 @@ Similarly, you can enable HPKP headers with Java Configuration:
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-				http
-				// ...
-				.headers()
-						.httpPublicKeyPinning()
-								.includeSubdomains(true)
-								.reportUri("https://example.net/pkp-report")
-								.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
-		}
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		http
+			// ...
+			.headers(headers ->
+			    headers
+					.httpPublicKeyPinning(hpkp ->
+					    hpkp
+							.includeSubDomains(true)
+							.reportUri("https://example.net/pkp-report")
+							.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=")
+				    )
+			);
+	}
 }
 ----
 
@@ -461,14 +483,18 @@ Similarly, you can customize frame options to use the same origin within Java Co
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.frameOptions()
-			.sameOrigin();
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .frameOptions(frameOptions ->
+                        frameOptions
+                            .sameOrigin()
+                    )
+            );
+    }
 }
 ----
 
@@ -511,14 +537,18 @@ Similarly, you can customize XSS protection within Java Configuration with the f
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.xssProtection()
-			.block(false);
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .xssProtection(xssProtection ->
+                        xssProtection
+                            .block(false)
+                    )
+            );
+    }
 }
 ----
 
@@ -625,13 +655,18 @@ Similarly, you can enable the CSP header using Java configuration as shown below
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .contentSecurityPolicy(csp ->
+                        csp
+                            .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
+                       )
+            );
+    }
 }
 ----
 
@@ -643,14 +678,19 @@ To enable the CSP _'report-only'_ header, provide the following Java configurati
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
-		.reportOnly();
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .contentSecurityPolicy(csp ->
+                        csp
+                            .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
+                            .reportOnly()
+                    )
+            );
+    }
 }
 ----
 
@@ -707,13 +747,18 @@ Similarly, you can enable the Referrer Policy header using Java configuration as
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.referrerPolicy(ReferrerPolicy.SAME_ORIGIN);
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .referrerPolicy(referrerPolicy ->
+                        referrerPolicy
+                            .policy(ReferrerPolicy.SAME_ORIGIN)
+                    )
+            );
+    }
 }
 ----
 
@@ -757,13 +802,15 @@ Similarly, you can enable the Feature Policy header using Java configuration as
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.featurePolicy("geolocation 'self'");
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .featurePolicy("geolocation 'self'")
+            );
+    }
 }
 ----
 
@@ -804,13 +851,15 @@ Similarly, the headers could be added to the response using Java Configuration a
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"));
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"))
+            );
+    }
 }
 ----
 
@@ -849,13 +898,15 @@ We could also restrict framing of content to the same origin with Java configura
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-	// ...
-	.headers()
-		.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN));
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
+            );
+    }
 }
 ----
 
@@ -903,17 +954,21 @@ We could also prevent framing of content to the log in page using java configura
 public class WebSecurityConfig extends
 WebSecurityConfigurerAdapter {
 
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	RequestMatcher matcher = new AntPathRequestMatcher("/login");
-	DelegatingRequestMatcherHeaderWriter headerWriter =
-		new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
-	http
-	// ...
-	.headers()
-		.frameOptions().disabled()
-		.addHeaderWriter(headerWriter);
-}
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        RequestMatcher matcher = new AntPathRequestMatcher("/login");
+        DelegatingRequestMatcherHeaderWriter headerWriter =
+            new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
+        http
+            // ...
+            .headers(headers ->
+                headers
+                    .frameOptions(frameOptions ->
+                        frameOptions.disable()
+                    )
+                    .addHeaderWriter(headerWriter)
+            );
+    }
 }
 ----
 

docs/manual/src/docs/asciidoc/_includes/servlet/web/websocket.adoc

@@ -323,9 +323,13 @@ public class WebSecurityConfig extends
   protected void configure(HttpSecurity http) throws Exception {
     http
       // ...
-      .headers()
-        .frameOptions()
-            .sameOrigin();
+      .headers(headers ->
+        headers
+          .frameOptions(frameOptions ->
+             frameOptions
+               .sameOrigin()
+          )
+      );
   }
 }
 ----
@@ -356,18 +360,23 @@ public class WebSecurityConfig
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-
         http
-            .csrf()
-                // ignore our stomp endpoints since they are protected using Stomp headers
-                .ignoringAntMatchers("/chat/**")
-                .and()
-            .headers()
-                // allow same origin to frame our site to support iframe SockJS
-                .frameOptions().sameOrigin()
-                .and()
-            .authorizeRequests()
-
+            .csrf(csrf ->
+                csrf
+                    // ignore our stomp endpoints since they are protected using Stomp headers
+                    .ignoringAntMatchers("/chat/**")
+            )
+            .headers(headers ->
+                headers
+                    // allow same origin to frame our site to support iframe SockJS
+                    .frameOptions(frameOptions ->
+                        frameOptions
+                            .sameOrigin()
+                    )
+            )
+            .authorizeRequests(authorizeRequests ->
+                ...
+            )
             ...
 ----