Spring Security - How to Fix Deprecated Methods: authorizeRequests(), authorizeHttpRequests(), formLogin(), rememberMe(), logout()…

Details
Written by  
Last Updated on 21 July 2024   |   Print  Email


You will find in this post solutions to solve some issues relate to deprecated methods when migrating or upgrading your Spring applications to new version of Spring Boot and Spring Security, such as Spring Boot 3.x that comes with Spring Security 6.x.

You know, Spring Security 6 comes with some primary changes to the APIs which developers have been familiar with for years, notably the ways used to configure web security aspects. Given the following typical code in a Spring Security configuration class:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    
    http.authorizeRequests().antMatchers("/signin", "/signup").permitAll()
		.antMatchers("/users/**", "/apps/**").hasAuthority("ADMIN")
		.antMatchers("/myapps/**").hasAuthority("CLIENT")
		.anyRequest().authenticated()
    .and()
    	.formLogin()
    		.loginPage("/signin")
    		.usernameParameter("email")
    		.defaultSuccessUrl("/", true)
        .permitAll()
    .and()
    	.rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789")
    .and()
    	.logout().logoutUrl("/signout").permitAll();


    return http.build();
}
This code snippet works well with Spring Boot 2.7.15 that comes with Spring Security 5.7.10, and older versions.

With Spring Boot 3.x that comes with Spring Security 6.x, you get the error:

The method authorizeRequests() from the type HttpSecurity is deprecated

To fix, you need to use authorizeHttpRequests() instead of authorizeRequests() and requestMatchers() instead of antMatchers(), as shown below:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests().requestMatchers("/signin", "/signup").permitAll()
		.requestMatchers("/users/**", "/apps/**").hasAuthority("ADMIN")
		.requestMatchers("/myapps/**").hasAuthority("CLIENT")
		.anyRequest().authenticated()
    .and().formLogin()
    .loginPage("/signin")
        .usernameParameter("email")
        .defaultSuccessUrl("/", true)
        .permitAll()
    .and()
    .rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789")
    .and()
    .logout().logoutUrl("/signout").permitAll();
    
	

    return http.build();
}
But since Spring Boot 3.1.0 that comes with Spring Security 6.1.0, the above code snippet causes several deprecation warnings:

The method authorizeHttpRequests() from the type HttpSecurity has been deprecated…

The method and() from the type AuthorizeHttpRequestConfigurer… has been deprecated…

The method formLogin() from the type HttpSecurity has been deprecated…

The method rememberMe() from the type HttpSecurity has been deprecated…

The method logout() from the type HttpSecurity has been deprecated…

These methods will be removed in Spring Security 7. To fix, you should use Java Lambda with Spring DSL (Domain Specific Language) as shown below:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    http.authorizeHttpRequests(
    		auth -> auth.requestMatchers("/signin", "/signup").permitAll()
    		.requestMatchers("/users/**", "/apps/**").hasAuthority("ADMIN")
    		.requestMatchers("/myapps/**").hasAuthority("CLIENT")
    		.anyRequest().authenticated()
           )
            .formLogin(formLogin -> formLogin
            		.loginPage("/signin")
            		.usernameParameter("email")
            		.defaultSuccessUrl("/", true)
            		.permitAll()
            )
            .rememberMe(rememberMe -> rememberMe.key("AbcdEfghIjkl..."))
            .logout(logout -> logout.logoutUrl("/signout").permitAll());


    return http.build();
}
You see, with this Lambda DSL style, there is no need to chain configuration options using the .and() method, and it’s also possible to use withDefaults() method to enable a security feature using the defaults provided by Spring Security, as shown below:

.rememberMe(withDefaults())
And you need to use this static import statement:

import static org.springframework.security.config.Customizer.withDefaults;


I think this new style of configuration makes it more flexible and more readable. The code can be evolved easily in future.

In case you want to disable CSRF protection, this is the new statement to use:

http.csrf(csrf -> csrf.disable());
 

For configuring session management, you need to use the similar style (DSL syntax). For example, the following statement configures stateless for session creation policy:

http.sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
 

And the following example shows how to update the code that configures exception handling with HttpSecurity object:

http.exceptionHandling(exh -> exh.authenticationEntryPoint(
	(request, response, ex) -> {
		response.sendError(HttpServletResponse.SC_UNAUTHORIZED, ex.getMessage());
	}
));
 

Hope you find this post helpful when upgrading your Spring applications to new version of Spring Boot and Spring Security. Watch the following video to see how I fixed deprecated methods in Spring Security in real life project:

 

Reference: Spring Security without the WebSecurityConfigurerAdapter

 

Spring Tutorials:


About the Author:

is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.



Add comment

   


Comments 

#3Jean2024-09-29 10:33
Thanks bruh that was so helpful!
Quote
#2Mustafa2023-12-19 19:52
Thanks man, that was really useful!!

Cheers
Quote
#1SUJIT BHAGWAN KATE2023-09-30 15:29
Really useful, its fixed problem of latest spring boot.
Quote