Update documentation containing examples of WebSecurityConfigurerAdapter

Closes gh-24551
spring-projects · Dec 22, 2020 · a714ba4 · a714ba4
1 parent 33dda3a
commit a714ba4
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 45 deletions.
diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc
@@ -2434,19 +2434,15 @@ You can switch on the valve by adding some entries to `application.properties`,
 (The presence of either of those properties switches on the valve.
 Alternatively, you can add the `RemoteIpValve` by adding a `TomcatServletWebServerFactory` bean.)
 
-To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following `HttpSecurity` configuration:
+To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:
 
 [source,java,indent=0,subs="verbatim,quotes,attributes"]
 ----
-	@Configuration(proxyBeanMethods = false)
-	public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-			// Customize the application security
-			http.requiresChannel().anyRequest().requiresSecure();
-		}
-
+	@Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Customize the application security
+		http.requiresChannel().anyRequest().requiresSecure();
+        return http.build();
 	}
 ----
 

diff --git a/...-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc b/...-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc
@@ -359,16 +359,12 @@ A typical Spring Security configuration might look something like the following
 
 [source,java,indent=0]
 ----
-	@Configuration(proxyBeanMethods = false)
-	public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-			http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-					requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
-			http.httpBasic();
-		}
-
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
+                requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+        http.httpBasic();
+        return http.build();
 	}
 ----
 
@@ -392,18 +388,17 @@ Additionally, if Spring Security is present, you would need to add custom securi
 
 [source,java,indent=0]
 ----
-	@Configuration(proxyBeanMethods = false)
-	public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-			http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
 				requests.anyRequest().permitAll());
-		}
-
-	}
+        return http.build();
+    }
 ----
 
+NOTE: In both the examples above, the configuration applies only to the actuator endpoints.
+Since Spring Boot's security configuration backs off completely in the presence of any `SecurityFilterChain` bean, you will need to configure an additional `SecurityFilterChain` bean with rules that apply to the rest of the application.
+
 
 
 [[production-ready-endpoints-caching]]

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc
@@ -3695,11 +3695,11 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for
 === MVC Security
 The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`.
 `SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications.
-To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
+To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
 
 To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`.
 
-Access rules can be overridden by adding a custom `WebSecurityConfigurerAdapter`.
+Access rules can be overridden by adding a custom `SecurityFilterChain` or `WebSecurityConfigurerAdapter` bean.
 Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
 `EndpointRequest` can be used to create a `RequestMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.
 `PathRequest` can be used to create a `RequestMatcher` for resources in commonly used locations.
@@ -3800,23 +3800,21 @@ The following example shows how an OpenID Connect Provider can be configured wit
 
 By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs matching `/login/oauth2/code/*`.
 If you want to customize the `redirect-uri` to use a different pattern, you need to provide configuration to process that custom pattern.
-For example, for servlet applications, you can add your own `WebSecurityConfigurerAdapter` that resembles the following:
+For example, for servlet applications, you can add your own `SecurityFilterChain` that resembles the following:
 
 [source,java,indent=0]
 ----
-public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
-
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
-		http
-			.authorizeRequests()
-				.anyRequest().authenticated()
-				.and()
-			.oauth2Login()
-				.redirectionEndpoint()
-					.baseUri("/custom-callback");
-	}
-}
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+            .authorizeRequests()
+                .anyRequest().authenticated()
+                .and()
+            .oauth2Login()
+                .redirectionEndpoint()
+                    .baseUri("/custom-callback");
+        return http.build();
+    }
 ----