Spring Security Changes

Spring Boot 3.0 introduced several significant changes and improvements in Spring Security, reflecting updates in the Spring Security 6.x series. Here are the key changes and some examples to help you migrate:

1. Removal of Deprecated APIs

Spring Security 5.x deprecated many classes and methods that were removed in 6.x. You need to update your code to avoid using deprecated APIs.

2. Migration to Spring Security 6.x

Spring Boot 3.0 relies on Spring Security 6.x, which requires updating your security configurations and possibly some code changes. Here’s an example of how to update your security configuration:

Before (Spring Boot 2.4.3, Spring Security 5.x):

WebSecurityConfigurerAdapter has been deprecated and removed. Instead, you should use SecurityFilterChain to configure security filters.

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/public/**").permitAll()
                .anyRequest().authenticated()
            .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
            .and()
            .logout()
                .permitAll();
    }
}

After (Spring Boot 3.0+, Spring Security 6.x):

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorizeRequests ->
                authorizeRequests
                    .requestMatchers("/public/**").permitAll()
                    .anyRequest().authenticated()
            )
            .formLogin(formLogin ->
                formLogin
                    .loginPage("/login")
                    .permitAll()
            )
            .logout(logout ->
                logout
                    .permitAll()
            );
        return http.build();
    }
}

3. SecurityMatcher Changes

The method antMatchers() has been replaced with requestMatchers(), which offers more flexibility and aligns better with the capabilities of RequestMatcher.

4. OAuth2 Login and Resource Server Configuration

For OAuth2 login and resource server configuration, you need to update the configuration as well:

Before:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .oauth2Login()
            .clientRegistrationRepository(clientRegistrationRepository())
            .authorizedClientService(authorizedClientService());
}

After:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .oauth2Login(oauth2Login ->
            oauth2Login
                .clientRegistrationRepository(clientRegistrationRepository())
                .authorizedClientService(authorizedClientService())
        );
    return http.build();
}

5. Removing WebSecurityConfigurerAdapter

WebSecurityConfigurerAdapter has been deprecated and removed. Instead, you should use SecurityFilterChain to configure security filters.

6. Password Encoder Changes

You need to explicitly declare a PasswordEncoder bean:

Before:

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.context.annotation.Bean;

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

After:

This remains the same, but ensure it is present:

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

7. Lambda DSL for Authorization Configuration

Spring Security 6.x encourages the use of the lambda DSL for configuring security, which leads to more readable and concise configuration.

Example Migration Summary

Here’s a summary of what you need to do:

1. Remove WebSecurityConfigurerAdapter: Use SecurityFilterChain instead.
2. Replace antMatchers with requestMatchers.
3. Use the Lambda DSL: Adopt the lambda style for configuration.
4. Update OAuth2 Configuration: Migrate the OAuth2 login and resource server configurations.

Complete Example

Here is a complete example of a migrated security configuration:

Before (Spring Boot 2.4.3, Spring Security 5.x):

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/public/**").permitAll()
                .anyRequest().authenticated()
            .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
            .and()
            .logout()
                .permitAll();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

After (Spring Boot 3.0+, Spring Security 6.x):

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorizeRequests ->
                authorizeRequests
                    .requestMatchers("/public/**").permitAll()
                    .anyRequest().authenticated()
            )
            .formLogin(formLogin ->
                formLogin
                    .loginPage("/login")
                    .permitAll()
            )
            .logout(logout ->
                logout
                    .permitAll()
            );
        return http.build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
        UserDetails user = User.withUsername("user")
            .password(passwordEncoder.encode("password"))
            .roles("USER")
            .build();
        return new InMemoryUserDetailsManager(user);
    }
}

By following these steps and examples, you should be able to successfully migrate your Spring Security configuration from Spring Boot 2.4.3 to Spring Boot 3.2.5. Ensure you thoroughly test your application to confirm that the security configurations work as expected after migration.