spring-guides · avendesta · Oct 9, 2022 · Oct 9, 2022 · dagnelies · Dec 12, 2023
diff --git a/click/README.adoc b/click/README.adoc
@@ -79,36 +79,36 @@ WARNING: It's not a great idea to return a whole `OAuth2User` in an endpoint sin
 There's one final change you'll need to make.
 
 This app will now work fine and authenticate as before, but it's still going to redirect before showing the page.
-To make the link visible, we also need to switch off the security on the home page by extending `WebSecurityConfigurerAdapter`:
+To make the link visible, we also need to switch off the security on the home page by registering a SecurityFilterChain bean:
 
 .SocialApplication
 [source,java]
 ----
 @SpringBootApplication
 @RestController
-public class SocialApplication extends WebSecurityConfigurerAdapter {
+public class SocialApplication {
 
     // ...
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-    	// @formatter:off
-        http
-            .authorizeRequests(a -> a
-                .antMatchers("/", "/error", "/webjars/**").permitAll()
-                .anyRequest().authenticated()
-            )
-            .exceptionHandling(e -> e
-                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
-            )
-            .oauth2Login();
-        // @formatter:on
-    }
+	@Bean
+	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+				.authorizeRequests(a -> a
+						.antMatchers("/", "/error", "/webjars/**").permitAll()
+						.anyRequest().authenticated()
+				)
+				.exceptionHandling(e -> e
+						.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
+				)
+				.oauth2Login();
+		return http.build();
+		// @formatter:on
+	}
 
 }
 ----
 
-Spring Boot attaches special meaning to a `WebSecurityConfigurerAdapter` on the class annotated with `@SpringBootApplication`:
 It uses it to configure the security filter chain that carries the OAuth 2.0 authentication processor.
 
 The above configuration indicates a whitelist of permitted endpoints, with every other endpoint requiring authentication.

diff --git a/click/src/main/java/com/example/SocialApplication.java b/click/src/main/java/com/example/SocialApplication.java
@@ -22,37 +22,38 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 @SpringBootApplication
 @RestController
-public class SocialApplication extends WebSecurityConfigurerAdapter {
+public class SocialApplication {
 
 	@GetMapping("/user")
 	public Map<String, Object> user(@AuthenticationPrincipal OAuth2User principal) {
 		return Collections.singletonMap("name", principal.getAttribute("name"));
 	}
 
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeRequests(a -> a
-				.antMatchers("/", "/error", "/webjars/**").permitAll()
-				.anyRequest().authenticated()
-			)
-			.exceptionHandling(e -> e
-				.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
-			)
-			.oauth2Login();
+				.authorizeRequests(a -> a
+						.antMatchers("/", "/error", "/webjars/**").permitAll()
+						.anyRequest().authenticated()
+				)
+				.exceptionHandling(e -> e
+						.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
+				)
+				.oauth2Login();
+		return http.build();
 		// @formatter:on
 	}
-
 	public static void main(String[] args) {
 		SpringApplication.run(SocialApplication.class, args);
 	}

diff --git a/logout/README.adoc b/logout/README.adoc
@@ -40,13 +40,13 @@ Now we can switch over to the server side to implement that endpoint.
 == Adding a Logout Endpoint
 
 Spring Security has built in support for a `/logout` endpoint which will do the right thing for us (clear the session and invalidate the cookie).
-To configure the endpoint we simply extend the existing `configure()` method in our `WebSecurityConfigurerAdapter`:
+To configure the endpoint we simply extend the existing `filterChain()` bean:
 
 .SocialApplication.java
 [source,java]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	// @formatter:off
     http
         // ... existing code here
@@ -66,13 +66,13 @@ For instance, in Angular, the front end would like the server to send it a cooki
 We can implement the same behaviour with our simple jQuery client, and then the server-side changes will work with other front end implementations with no or very few changes.
 To teach Spring Security about this we need to add a filter that creates the cookie.
 
-In the `WebSecurityConfigurerAdapter` we do the following:
+In the `filterChain` bean we do the following:
 
 .SocialApplication.java
 [source,java]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	// @formatter:off
     http
         // ... existing code here

diff --git a/logout/src/main/java/com/example/SocialApplication.java b/logout/src/main/java/com/example/SocialApplication.java
@@ -22,25 +22,26 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 @SpringBootApplication
 @RestController
-public class SocialApplication extends WebSecurityConfigurerAdapter {
+public class SocialApplication {
 
 	@RequestMapping("/user")
 	public Map<String, Object> user(@AuthenticationPrincipal OAuth2User principal) {
 		return Collections.singletonMap("name", principal.getAttribute("name"));
 	}
 
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 			.authorizeRequests(a -> a
@@ -57,6 +58,7 @@ protected void configure(HttpSecurity http) throws Exception {
 				.logoutSuccessUrl("/").permitAll()
 			)
 			.oauth2Login();
+		return http.build();
 		// @formatter:on
 	}