Spring Security - How to Fix Deprecated Methods: authorizeRequests(), authorizeHttpRequests(), formLogin(), rememberMe(), logout()…
- Details
- Written by Nam Ha Minh
- Last Updated on 28 October 2023   |   Print Email
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/signin", "/signup").permitAll() .antMatchers("/users/**", "/apps/**").hasAuthority("ADMIN") .antMatchers("/myapps/**").hasAuthority("CLIENT") .anyRequest().authenticated() .and() .formLogin() .loginPage("/signin") .usernameParameter("email") .defaultSuccessUrl("/", true) .permitAll() .and() .rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789") .and() .logout().logoutUrl("/signout").permitAll(); return http.build(); }This code snippet works well with Spring Boot 2.7.15 that comes with Spring Security 5.7.10, and older versions.With Spring Boot 3.0.0 that comes with Spring Security 6.0.0, you get the error:
The method authorizeRequests() from the type HttpSecurity is deprecated
To fix, you need to use authorizeHttpRequests() instead of authorizeRequests() and requestMatchers() instead of antMatchers(), as shown below:@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests().requestMatchers("/signin", "/signup").permitAll() .requestMatchers("/users/**", "/apps/**").hasAuthority("ADMIN") .requestMatchers("/myapps/**").hasAuthority("CLIENT") .anyRequest().authenticated() .and().formLogin() .loginPage("/signin") .usernameParameter("email") .defaultSuccessUrl("/", true) .permitAll() .and() .rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789") .and() .logout().logoutUrl("/signout").permitAll(); return http.build(); }But since Spring Boot 3.1.0 that comes with Spring Security 6.1.0, the above code snippet causes several deprecation warnings:
The method authorizeHttpRequests() from the type HttpSecurity has been deprecated…
The method and() from the type AuthorizeHttpRequestConfigurer… has been deprecated…
The method formLogin() from the type HttpSecurity has been deprecated…
The method rememberMe() from the type HttpSecurity has been deprecated…
The method logout() from the type HttpSecurity has been deprecated…
These methods will be removed in Spring Security 7. To fix, you should use Java Lambda with Spring DSL (Domain Specific Language) as shown below:@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests( auth -> auth.requestMatchers("/signin", "/signup").permitAll() .requestMatchers("/users/**", "/apps/**").hasAuthority("ADMIN") .requestMatchers("/myapps/**").hasAuthority("CLIENT") .anyRequest().authenticated() ) .formLogin(formLogin -> formLogin .loginPage("/signin") .usernameParameter("email") .defaultSuccessUrl("/", true) .permitAll() ) .rememberMe(rememberMe -> rememberMe.key("AbcdEfghIjkl...")) .logout(logout -> logout.logoutUrl("/signout").permitAll()); return http.build(); }You see, with this Lambda DSL style, there is no need to chain configuration options using the .and() method, and it’s also possible to use withDefaults() method to enable a security feature using the defaults provided by Spring Security, as shown below:
.rememberMe(withDefaults())And you need to use this static import statement:
import static org.springframework.security.config.Customizer.withDefaults;I think this new style of configuration makes it more flexible and more readable. The code can be evolved easily in future.
Comments
Cheers