From 00dc942e94f6756d3dd3f93cbba7384bb19f4a35 Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Fri, 14 Apr 2023 17:39:26 -0700 Subject: [PATCH] Migrate to Spring Security lambda config Closes gh-35011 --- ...anagementWebSecurityAutoConfiguration.java | 9 +++++---- ...anagementWebSecurityAutoConfiguration.java | 11 ++++++----- ...mentWebSecurityAutoConfigurationTests.java | 6 +++--- ...stractEndpointRequestIntegrationTests.java | 4 +++- ...mentWebSecurityAutoConfigurationTests.java | 10 +++++----- .../ReactiveOAuth2ClientConfigurations.java | 10 ++++++---- .../OAuth2WebSecurityConfiguration.java | 9 +++++---- ...esourceServerOpaqueTokenConfiguration.java | 7 ++++--- .../OAuth2ResourceServerJwtConfiguration.java | 5 +++-- ...esourceServerOpaqueTokenConfiguration.java | 7 ++++--- ...izationServerWebSecurityConfiguration.java | 15 +++++++-------- .../saml2/Saml2LoginConfiguration.java | 9 ++++++--- .../SpringBootWebSecurityConfiguration.java | 10 ++++++---- ...2ResourceServerAutoConfigurationTests.java | 3 ++- ...2ResourceServerAutoConfigurationTests.java | 2 +- ...onServerWebSecurityConfigurationTests.java | 4 ++-- .../RemoteDevtoolsSecurityConfiguration.java | 4 ++-- .../DevProfileSecurityConfiguration.java | 4 ++-- .../client/MyOAuthClientConfiguration.java | 4 ++-- .../MySamlRelyingPartyConfiguration.java | 6 ++++-- .../typical/MySecurityConfiguration.kt | 3 ++- .../DevProfileSecurityConfiguration.kt | 4 ++-- .../security/enablehttps/MySecurityConfig.kt | 2 +- .../client/MyOAuthClientConfiguration.kt | 4 ++-- .../MyWebFluxSecurityConfiguration.kt | 4 +++- .../customsecurity/SecurityConfiguration.java | 7 ++++--- ...hutdownSampleActuatorApplicationTests.java | 2 +- .../secure/jersey/SecurityConfiguration.java | 5 +++-- ...anagementPortSampleSecureWebFluxTests.java | 3 ++- ...ampleSecureWebFluxCustomSecurityTests.java | 5 +++-- .../hazelcast/SecurityConfiguration.java | 11 ++++++----- .../session/SecurityConfiguration.java | 11 ++++++----- .../mongodb/SecurityConfiguration.java | 11 ++++++----- .../session/redis/SecurityConfiguration.java | 11 ++++++----- .../SampleSessionWebFluxMongoApplication.java | 19 +++++++------------ .../SampleSessionWebFluxRedisApplication.java | 19 +++++++------------ .../SampleMethodSecurityApplication.java | 10 ++++++---- .../SampleWebSecureCustomApplication.java | 4 ++-- .../jdbc/SampleWebSecureJdbcApplication.java | 4 ++-- .../CustomServletPathErrorPageTests.java | 6 ++++-- ...vletPathUnauthenticatedErrorPageTests.java | 6 ++++-- .../smoketest/web/secure/ErrorPageTests.java | 6 ++++-- .../web/secure/NoSessionErrorPageTests.java | 4 +++- .../SampleWebSecureApplicationTests.java | 7 ++++--- .../secure/UnauthenticatedErrorPageTests.java | 6 ++++-- 45 files changed, 172 insertions(+), 141 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java index 82456190e9..7ceff51287 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,7 +29,6 @@ import org.springframework.boot.autoconfigure.security.oauth2.client.reactive.Re import org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration; import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration; import org.springframework.context.annotation.Bean; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; import org.springframework.security.config.web.server.SecurityWebFiltersOrder; import org.springframework.security.config.web.server.ServerHttpSecurity; @@ -38,6 +37,8 @@ import org.springframework.security.web.server.WebFilterChainProxy; import org.springframework.web.cors.reactive.PreFlightRequestHandler; import org.springframework.web.cors.reactive.PreFlightRequestWebFilter; +import static org.springframework.security.config.Customizer.withDefaults; + /** * {@link EnableAutoConfiguration Auto-configuration} for Reactive Spring Security when * actuator is on the classpath. Specifically, it permits access to the health endpoint @@ -63,8 +64,8 @@ public class ReactiveManagementWebSecurityAutoConfiguration { }); PreFlightRequestWebFilter filter = new PreFlightRequestWebFilter(handler); http.addFilterAt(filter, SecurityWebFiltersOrder.CORS); - http.httpBasic(Customizer.withDefaults()); - http.formLogin(Customizer.withDefaults()); + http.httpBasic(withDefaults()); + http.formLogin(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java index 599afa3638..d6bc5b11a0 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,11 +31,12 @@ import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAu import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; import org.springframework.context.annotation.Bean; import org.springframework.core.annotation.Order; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import org.springframework.util.ClassUtils; +import static org.springframework.security.config.Customizer.withDefaults; + /** * {@link EnableAutoConfiguration Auto-configuration} for Spring Security when actuator is * on the classpath. It allows unauthenticated access to the {@link HealthEndpoint}. If @@ -63,10 +64,10 @@ public class ManagementWebSecurityAutoConfiguration { requests.anyRequest().authenticated(); }); if (ClassUtils.isPresent("org.springframework.web.servlet.DispatcherServlet", null)) { - http.cors(); + http.cors(withDefaults()); } - http.formLogin(Customizer.withDefaults()); - http.httpBasic(Customizer.withDefaults()); + http.formLogin(withDefaults()); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java index 48fa6e6263..fbfe9f23ef 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java @@ -47,7 +47,6 @@ import org.springframework.http.server.reactive.ServerHttpResponse; import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.http.server.reactive.MockServerHttpResponse; import org.springframework.security.authentication.ReactiveAuthenticationManager; -import org.springframework.security.config.Customizer; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.WebFilterChainProxy; @@ -57,6 +56,7 @@ import org.springframework.web.server.adapter.HttpWebHandlerAdapter; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.Mockito.mock; +import static org.springframework.security.config.Customizer.withDefaults; /** * Tests for {@link ReactiveManagementWebSecurityAutoConfiguration}. @@ -164,7 +164,7 @@ class ReactiveManagementWebSecurityAutoConfigurationTests { exchanges.pathMatchers("/foo").permitAll(); exchanges.anyExchange().authenticated(); }); - http.formLogin(Customizer.withDefaults()); + http.formLogin(withDefaults()); return http.build(); } @@ -192,7 +192,7 @@ class ReactiveManagementWebSecurityAutoConfigurationTests { private List getFilterChains(ServerHttpSecurity http) { http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated()); - http.formLogin(Customizer.withDefaults()); + http.formLogin(withDefaults()); return Collections.singletonList(http.build()); } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java index 0f12497dd5..35236a3c56 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java @@ -48,6 +48,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.reactive.server.WebTestClient; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Abstract base class for {@link EndpointRequest} tests. * @@ -195,7 +197,7 @@ abstract class AbstractEndpointRequestIntegrationTests { requests.requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated(); requests.anyRequest().hasRole("ADMIN"); }); - http.httpBasic(); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java index 94f85b9cfb..869ee26aa4 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java @@ -44,7 +44,6 @@ import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockServletContext; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.SecurityFilterChain; @@ -52,6 +51,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.context.WebApplicationContext; import static org.assertj.core.api.Assertions.assertThat; +import static org.springframework.security.config.Customizer.withDefaults; /** * Tests for {@link ManagementWebSecurityAutoConfiguration}. @@ -181,8 +181,8 @@ class ManagementWebSecurityAutoConfigurationTests { requests.requestMatchers(new AntPathRequestMatcher("/foo")).permitAll(); requests.anyRequest().authenticated(); }); - http.formLogin(Customizer.withDefaults()); - http.httpBasic(); + http.formLogin(withDefaults()); + http.httpBasic(withDefaults()); return http.build(); } @@ -207,8 +207,8 @@ class ManagementWebSecurityAutoConfigurationTests { @Order(SecurityProperties.BASIC_AUTH_ORDER - 1) SecurityFilterChain testRemoteDevToolsSecurityFilterChain(HttpSecurity http) throws Exception { http.securityMatcher(new AntPathRequestMatcher("/**")); - http.authorizeHttpRequests().anyRequest().anonymous(); - http.csrf().disable(); + http.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous()); + http.csrf((csrf) -> csrf.disable()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientConfigurations.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientConfigurations.java index 4f4621f1fe..53cd4dde19 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientConfigurations.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientConfigurations.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,6 +38,8 @@ import org.springframework.security.oauth2.client.web.server.AuthenticatedPrinci import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository; import org.springframework.security.web.server.SecurityWebFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Reactive OAuth2 Client configurations. * @@ -84,9 +86,9 @@ class ReactiveOAuth2ClientConfigurations { @Bean @ConditionalOnMissingBean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - http.authorizeExchange().anyExchange().authenticated(); - http.oauth2Login(); - http.oauth2Client(); + http.authorizeExchange((exchange) -> exchange.anyExchange().authenticated()); + http.oauth2Login(withDefaults()); + http.oauth2Client(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java index 97467895e5..3163f7309e 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +21,6 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService; import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService; @@ -30,6 +29,8 @@ import org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAut import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * {@link SecurityFilterChain} to add OAuth client support. * @@ -59,8 +60,8 @@ class OAuth2WebSecurityConfiguration { @Bean SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); - http.oauth2Login(Customizer.withDefaults()); - http.oauth2Client(); + http.oauth2Login(withDefaults()); + http.oauth2Client(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java index 112ec4411e..f4d9614253 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,11 +23,12 @@ import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2Res import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.web.server.ServerHttpSecurity; -import org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec; import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.introspection.SpringReactiveOpaqueTokenIntrospector; import org.springframework.security.web.server.SecurityWebFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Configures a {@link ReactiveOpaqueTokenIntrospector} when a token introspection * endpoint is available. Also configures a {@link SecurityWebFilterChain} if a @@ -59,7 +60,7 @@ class ReactiveOAuth2ResourceServerOpaqueTokenConfiguration { @ConditionalOnBean(ReactiveOpaqueTokenIntrospector.class) SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated()); - http.oauth2ResourceServer(OAuth2ResourceServerSpec::opaqueToken); + http.oauth2ResourceServer((resourceServer) -> resourceServer.opaqueToken(withDefaults())); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java index b03ac8212a..7b912d1295 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java @@ -37,7 +37,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Conditional; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; @@ -52,6 +51,8 @@ import org.springframework.security.oauth2.jwt.SupplierJwtDecoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.util.CollectionUtils; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Configures a {@link JwtDecoder} when a JWK Set URI, OpenID Connect Issuer URI or Public * Key configuration is available. Also configures a {@link SecurityFilterChain} if a @@ -156,7 +157,7 @@ class OAuth2ResourceServerJwtConfiguration { @ConditionalOnBean(JwtDecoder.class) SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); - http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); + http.oauth2ResourceServer((resourceServer) -> resourceServer.jwt(withDefaults())); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java index 219570aaf9..a995db7d89 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,11 +24,12 @@ import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2Res import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Configures an {@link OpaqueTokenIntrospector} when a token introspection endpoint is * available. Also configures a {@link SecurityFilterChain} if a @@ -61,7 +62,7 @@ class OAuth2ResourceServerOpaqueTokenConfiguration { @ConditionalOnBean(OpaqueTokenIntrospector.class) SecurityFilterChain opaqueTokenSecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); - http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); + http.oauth2ResourceServer((resourceServer) -> resourceServer.opaqueToken(withDefaults())); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfiguration.java index 626696193a..c3e60f807e 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfiguration.java @@ -23,9 +23,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration; import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer; @@ -33,6 +31,8 @@ import org.springframework.security.oauth2.server.authorization.settings.Authori import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; +import static org.springframework.security.config.Customizer.withDefaults; + /** * {@link Configuration @Configuration} for OAuth2 authorization server support. * @@ -47,18 +47,17 @@ class OAuth2AuthorizationServerWebSecurityConfiguration { @Order(Ordered.HIGHEST_PRECEDENCE) SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); - http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(Customizer.withDefaults()); - http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) - .exceptionHandling((exceptions) -> exceptions - .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))); + http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(withDefaults()); + http.oauth2ResourceServer((resourceServer) -> resourceServer.jwt(withDefaults())); + http.exceptionHandling( + (exceptions) -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))); return http.build(); } @Bean @Order(SecurityProperties.BASIC_AUTH_ORDER) SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated()) - .formLogin(Customizer.withDefaults()); + http.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated()).formLogin(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java index bd39d30f6f..b1108a95be 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,6 +24,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * {@link SecurityFilterChain} configuration for Spring Security's relying party SAML * support. @@ -37,8 +39,9 @@ class Saml2LoginConfiguration { @Bean SecurityFilterChain samlSecurityFilterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()).saml2Login(); - http.saml2Logout(); + http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); + http.saml2Login(withDefaults()); + http.saml2Logout(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java index 840832125a..e61c65bd2d 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * {@link Configuration @Configuration} class securing servlet applications. * @@ -53,9 +55,9 @@ class SpringBootWebSecurityConfiguration { @Bean @Order(SecurityProperties.BASIC_AUTH_ORDER) SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests().anyRequest().authenticated(); - http.formLogin(); - http.httpBasic(); + http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); + http.formLogin(withDefaults()); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java index 40126605bd..8a2ef4532b 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java @@ -73,6 +73,7 @@ import org.springframework.web.server.WebFilter; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.Mockito.mock; +import static org.springframework.security.config.Customizer.withDefaults; /** * Tests for {@link ReactiveOAuth2ResourceServerAutoConfiguration}. @@ -698,7 +699,7 @@ class ReactiveOAuth2ResourceServerAutoConfigurationTests { exchanges.pathMatchers("/message/**").hasRole("ADMIN"); exchanges.anyExchange().authenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java index dd60cd53f2..9d75182fd9 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java @@ -711,7 +711,7 @@ class OAuth2ResourceServerAutoConfigurationTests { @Bean SecurityFilterChain testSecurityFilterChain(HttpSecurity http) throws Exception { http.securityMatcher("/**"); - http.authorizeHttpRequests().anyRequest().authenticated(); + http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfigurationTests.java index dbf32229a9..90651911bf 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerWebSecurityConfigurationTests.java @@ -28,7 +28,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; import org.springframework.core.annotation.Order; import org.springframework.security.config.BeanIds; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.oauth2.core.AuthorizationGrantType; @@ -53,6 +52,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import static org.assertj.core.api.Assertions.assertThat; +import static org.springframework.security.config.Customizer.withDefaults; /** * Tests for {@link OAuth2AuthorizationServerWebSecurityConfiguration}. @@ -170,7 +170,7 @@ class OAuth2AuthorizationServerWebSecurityConfigurationTests { @Bean @Order(2) SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - return http.httpBasic(Customizer.withDefaults()).build(); + return http.httpBasic(withDefaults()).build(); } } diff --git a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java index 33b4b3f3d3..eba98a6b02 100644 --- a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java @@ -48,8 +48,8 @@ class RemoteDevtoolsSecurityConfiguration { @Order(SecurityProperties.BASIC_AUTH_ORDER - 1) SecurityFilterChain devtoolsSecurityFilterChain(HttpSecurity http) throws Exception { http.securityMatcher(new AntPathRequestMatcher(this.url)); - http.authorizeHttpRequests().anyRequest().anonymous(); - http.csrf().disable(); + http.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous()); + http.csrf((csrf) -> csrf.disable()); return http.build(); } diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java index 6f7926175d..22cef68bd4 100644 --- a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,7 +36,7 @@ public class DevProfileSecurityConfiguration { http.securityMatcher(PathRequest.toH2Console()); http.authorizeHttpRequests(yourCustomAuthorization()); http.csrf((csrf) -> csrf.disable()); - http.headers((headers) -> headers.frameOptions().sameOrigin()); + http.headers((headers) -> headers.frameOptions((frame) -> frame.sameOrigin())); return http.build(); } diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.java index ec814232ed..591d4d74e5 100644 --- a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.java +++ b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,7 +27,7 @@ public class MyOAuthClientConfiguration { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); - http.oauth2Login((login) -> login.redirectionEndpoint().baseUri("custom-callback")); + http.oauth2Login((login) -> login.redirectionEndpoint((endpoint) -> endpoint.baseUri("custom-callback"))); return http.build(); } diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/saml2/relyingparty/MySamlRelyingPartyConfiguration.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/saml2/relyingparty/MySamlRelyingPartyConfiguration.java index 797773dc2a..37f4deb52c 100644 --- a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/saml2/relyingparty/MySamlRelyingPartyConfiguration.java +++ b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/saml2/relyingparty/MySamlRelyingPartyConfiguration.java @@ -21,13 +21,15 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + @Configuration(proxyBeanMethods = false) public class MySamlRelyingPartyConfiguration { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests().anyRequest().authenticated(); - http.saml2Login(); + http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); + http.saml2Login(withDefaults()); http.saml2Logout((saml2) -> saml2.logoutRequest((request) -> request.logoutUrl("/SLOService.saml2")) .logoutResponse((response) -> response.logoutUrl("/SLOService.saml2"))); return http.build(); diff --git a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.kt b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.kt index 4719b42843..ef01473d10 100644 --- a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.kt +++ b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.kt @@ -19,6 +19,7 @@ package org.springframework.boot.docs.actuator.endpoints.security.typical import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration +import org.springframework.security.config.Customizer.withDefaults import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.web.SecurityFilterChain @@ -30,7 +31,7 @@ class MySecurityConfiguration { http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests { requests -> requests.anyRequest().hasRole("ENDPOINT_ADMIN") } - http.httpBasic() + http.httpBasic(withDefaults()) return http.build() } diff --git a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.kt b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.kt index 112839e9cf..c30e406b7a 100644 --- a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.kt +++ b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.kt @@ -33,8 +33,8 @@ class DevProfileSecurityConfiguration { @Order(Ordered.HIGHEST_PRECEDENCE) fun h2ConsoleSecurityFilterChain(http: HttpSecurity): SecurityFilterChain { return http.authorizeHttpRequests(yourCustomAuthorization()) - .csrf().disable() - .headers().frameOptions().sameOrigin().and() + .csrf { csrf -> csrf.disable() } + .headers { headers -> headers.frameOptions { frameOptions -> frameOptions.sameOrigin() } } .build() } diff --git a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/howto/security/enablehttps/MySecurityConfig.kt b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/howto/security/enablehttps/MySecurityConfig.kt index 0354fe386d..f326ca88fa 100644 --- a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/howto/security/enablehttps/MySecurityConfig.kt +++ b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/howto/security/enablehttps/MySecurityConfig.kt @@ -27,7 +27,7 @@ class MySecurityConfig { @Bean fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { // Customize the application security ... - http.requiresChannel().anyRequest().requiresSecure() + http.requiresChannel { requests -> requests.anyRequest().requiresSecure() } return http.build() } diff --git a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.kt b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.kt index dfe75f4f10..1d461e281b 100644 --- a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.kt +++ b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.kt @@ -26,8 +26,8 @@ class MyOAuthClientConfiguration { @Bean fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { - http.authorizeHttpRequests().anyRequest().authenticated() - http.oauth2Login().redirectionEndpoint().baseUri("custom-callback") + http.authorizeHttpRequests { requests -> requests.anyRequest().authenticated() } + http.oauth2Login { login -> login.redirectionEndpoint { redirectionEndpoint -> redirectionEndpoint.baseUri("custom-callback") } } return http.build() } diff --git a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.kt b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.kt index 460b64fe7b..a2d5f78900 100644 --- a/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.kt +++ b/spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.kt @@ -19,6 +19,8 @@ package org.springframework.boot.docs.web.security.springwebflux import org.springframework.boot.autoconfigure.security.reactive.PathRequest import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration +import org.springframework.security.config.Customizer +import org.springframework.security.config.Customizer.withDefaults import org.springframework.security.config.web.server.ServerHttpSecurity import org.springframework.security.web.server.SecurityWebFilterChain @@ -31,7 +33,7 @@ class MyWebFluxSecurityConfiguration { spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() spec.pathMatchers("/foo", "/bar").authenticated() } - http.formLogin() + http.formLogin(withDefaults()) return http.build() } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java index 9db6c70bea..fe2716be7d 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java @@ -24,7 +24,6 @@ import org.springframework.boot.actuate.web.mappings.MappingsEndpoint; import org.springframework.boot.autoconfigure.security.servlet.PathRequest; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User.UserBuilder; @@ -32,6 +31,8 @@ import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + @Configuration(proxyBeanMethods = false) public class SecurityConfiguration { @@ -65,8 +66,8 @@ public class SecurityConfiguration { requests.requestMatchers("/error").permitAll(); requests.requestMatchers("/**").hasRole("USER"); }); - http.cors(Customizer.withDefaults()); - http.httpBasic(); + http.cors(withDefaults()); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java index 0cf7efef98..2a6b74716b 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java @@ -74,7 +74,7 @@ class ShutdownSampleActuatorApplicationTests { @Bean SecurityFilterChain configure(HttpSecurity http) throws Exception { - http.csrf().disable(); + http.csrf((csrf) -> csrf.disable()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java index 365e617c14..c486bb9a4e 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java @@ -20,6 +20,7 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointR import org.springframework.boot.actuate.web.mappings.MappingsEndpoint; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.userdetails.User; import org.springframework.security.provisioning.InMemoryUserDetailsManager; @@ -28,8 +29,8 @@ import org.springframework.security.web.SecurityFilterChain; @Configuration public class SecurityConfiguration { - @SuppressWarnings("deprecation") @Bean + @SuppressWarnings("deprecation") public InMemoryUserDetailsManager inMemoryUserDetailsManager() { return new InMemoryUserDetailsManager( User.withDefaultPasswordEncoder() @@ -52,7 +53,7 @@ public class SecurityConfiguration { .hasRole("ACTUATOR"); requests.requestMatchers("/**").hasRole("USER"); }); - http.httpBasic(); + http.httpBasic(Customizer.withDefaults()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java index 0274529374..25f689327d 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java @@ -35,6 +35,7 @@ import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.test.web.reactive.server.WebTestClient; import static org.assertj.core.api.Assertions.assertThat; +import static org.springframework.security.config.Customizer.withDefaults; /** * Integration tests for separate management and main service ports. @@ -119,7 +120,7 @@ class ManagementPortSampleSecureWebFluxTests { exchanges.pathMatchers("/login").permitAll(); exchanges.anyExchange().authenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java index cd3d820e33..3c91bf93e8 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java @@ -29,13 +29,14 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; -import org.springframework.security.config.Customizer; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.core.userdetails.MapReactiveUserDetailsService; import org.springframework.security.core.userdetails.User; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.test.web.reactive.server.WebTestClient; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Integration tests for a secure reactive application with custom security. * @@ -165,7 +166,7 @@ class SampleSecureWebFluxCustomSecurityTests { exchanges.pathMatchers("/login").permitAll(); exchanges.anyExchange().authenticated(); }); - http.httpBasic(Customizer.withDefaults()); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-hazelcast/src/main/java/smoketest/session/hazelcast/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-hazelcast/src/main/java/smoketest/session/hazelcast/SecurityConfiguration.java index 912332b3e8..5b097e4c3c 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-hazelcast/src/main/java/smoketest/session/hazelcast/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-hazelcast/src/main/java/smoketest/session/hazelcast/SecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,10 +20,11 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointR import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Security configuration. * @@ -38,9 +39,9 @@ class SecurityConfiguration { requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll(); requests.anyRequest().authenticated(); }); - http.formLogin(Customizer.withDefaults()); - http.httpBasic(Customizer.withDefaults()); - http.csrf().disable(); + http.formLogin(withDefaults()); + http.httpBasic(withDefaults()); + http.csrf((csrf) -> csrf.disable()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-jdbc/src/main/java/smoketest/session/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-jdbc/src/main/java/smoketest/session/SecurityConfiguration.java index 0ee5bd5b2c..56d724df55 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-jdbc/src/main/java/smoketest/session/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-jdbc/src/main/java/smoketest/session/SecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,10 +20,11 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointR import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Security configuration. * @@ -38,9 +39,9 @@ class SecurityConfiguration { requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll(); requests.anyRequest().authenticated(); }); - http.formLogin(Customizer.withDefaults()); - http.httpBasic(Customizer.withDefaults()); - http.csrf().disable(); + http.formLogin(withDefaults()); + http.httpBasic(withDefaults()); + http.csrf((csrf) -> csrf.disable()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-mongo/src/main/java/smoketest/session/mongodb/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-mongo/src/main/java/smoketest/session/mongodb/SecurityConfiguration.java index 1177f51f13..f88e74f66d 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-mongo/src/main/java/smoketest/session/mongodb/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-mongo/src/main/java/smoketest/session/mongodb/SecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,10 +20,11 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointR import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Security configuration. * @@ -38,9 +39,9 @@ class SecurityConfiguration { requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll(); requests.anyRequest().authenticated(); }); - http.formLogin(Customizer.withDefaults()); - http.httpBasic(Customizer.withDefaults()); - http.csrf().disable(); + http.formLogin(withDefaults()); + http.httpBasic(withDefaults()); + http.csrf((csrf) -> csrf.disable()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-redis/src/main/java/smoketest/session/redis/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-redis/src/main/java/smoketest/session/redis/SecurityConfiguration.java index 16cd3948f4..14408477a0 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-redis/src/main/java/smoketest/session/redis/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-redis/src/main/java/smoketest/session/redis/SecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,10 +20,11 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointR import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Security configuration. * @@ -38,9 +39,9 @@ class SecurityConfiguration { requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll(); requests.anyRequest().authenticated(); }); - http.formLogin(Customizer.withDefaults()); - http.httpBasic(Customizer.withDefaults()); - http.csrf().disable(); + http.formLogin(withDefaults()); + http.httpBasic(withDefaults()); + http.csrf((csrf) -> csrf.disable()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-mongo/src/main/java/smoketest/session/SampleSessionWebFluxMongoApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-mongo/src/main/java/smoketest/session/SampleSessionWebFluxMongoApplication.java index 405e9a85e2..9ccabd1631 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-mongo/src/main/java/smoketest/session/SampleSessionWebFluxMongoApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-mongo/src/main/java/smoketest/session/SampleSessionWebFluxMongoApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,6 +23,8 @@ import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository; +import static org.springframework.security.config.Customizer.withDefaults; + @SpringBootApplication public class SampleSessionWebFluxMongoApplication { @@ -32,17 +34,10 @@ public class SampleSessionWebFluxMongoApplication { @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - // @formatter:off - return http - .authorizeExchange() - .anyExchange().authenticated() - .and() - .httpBasic().securityContextRepository(new WebSessionServerSecurityContextRepository()) - .and() - .formLogin() - .and() - .build(); - // @formatter:on + http.authorizeExchange((exchange) -> exchange.anyExchange().authenticated()); + http.httpBasic((basic) -> basic.securityContextRepository(new WebSessionServerSecurityContextRepository())); + http.formLogin(withDefaults()); + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-redis/src/main/java/smoketest/session/SampleSessionWebFluxRedisApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-redis/src/main/java/smoketest/session/SampleSessionWebFluxRedisApplication.java index 4ebfaf48b8..fb9187aed4 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-redis/src/main/java/smoketest/session/SampleSessionWebFluxRedisApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-webflux-redis/src/main/java/smoketest/session/SampleSessionWebFluxRedisApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,6 +23,8 @@ import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository; +import static org.springframework.security.config.Customizer.withDefaults; + @SpringBootApplication public class SampleSessionWebFluxRedisApplication { @@ -32,17 +34,10 @@ public class SampleSessionWebFluxRedisApplication { @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - // @formatter:off - return http - .authorizeExchange() - .anyExchange().authenticated() - .and() - .httpBasic().securityContextRepository(new WebSessionServerSecurityContextRepository()) - .and() - .formLogin() - .and() - .build(); - // @formatter:on + http.authorizeExchange((exchange) -> exchange.anyExchange().authenticated()); + http.httpBasic((basic) -> basic.securityContextRepository(new WebSessionServerSecurityContextRepository())); + http.formLogin(withDefaults()); + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java index 6698caa1b8..9878914756 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java @@ -36,6 +36,8 @@ import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; +import static org.springframework.security.config.Customizer.withDefaults; + @SpringBootApplication @EnableMethodSecurity(securedEnabled = true) public class SampleMethodSecurityApplication implements WebMvcConfigurer { @@ -73,12 +75,12 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer { @Bean SecurityFilterChain configure(HttpSecurity http) throws Exception { - http.csrf().disable(); + http.csrf((csrf) -> csrf.disable()); http.authorizeHttpRequests((requests) -> { requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll(); requests.anyRequest().fullyAuthenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); http.formLogin((form) -> form.loginPage("/login").permitAll()); http.exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access")); return http.build(); @@ -92,10 +94,10 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer { @Bean SecurityFilterChain actuatorSecurity(HttpSecurity http) throws Exception { - http.csrf().disable(); + http.csrf((csrf) -> csrf.disable()); http.securityMatcher(EndpointRequest.toAnyEndpoint()); http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()); - http.httpBasic(); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java index 271c7e55ba..5d735b3556 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -45,7 +45,7 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer { @Bean SecurityFilterChain configure(HttpSecurity http) throws Exception { - http.csrf().disable(); + http.csrf((csrf) -> csrf.disable()); http.authorizeHttpRequests((requests) -> { requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll(); requests.anyRequest().fullyAuthenticated(); diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java index b632e3c186..c6e9eff88b 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -48,7 +48,7 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer { @Bean SecurityFilterChain configure(HttpSecurity http) throws Exception { - http.csrf().disable(); + http.csrf((csrf) -> csrf.disable()); http.authorizeHttpRequests((requests) -> { requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll(); requests.anyRequest().fullyAuthenticated(); diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathErrorPageTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathErrorPageTests.java index 7b0f55e802..36c2afa8d3 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathErrorPageTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathErrorPageTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,6 +22,8 @@ import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Tests to ensure that the error page with a custom servlet path is accessible only to * authorized users. @@ -48,7 +50,7 @@ class CustomServletPathErrorPageTests extends AbstractErrorPageTests { requests.requestMatchers("/public/**").permitAll(); requests.anyRequest().fullyAuthenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); http.formLogin((form) -> form.loginPage("/custom/servlet/path/login").permitAll()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathUnauthenticatedErrorPageTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathUnauthenticatedErrorPageTests.java index 81946f7b96..ff6577d4eb 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathUnauthenticatedErrorPageTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomServletPathUnauthenticatedErrorPageTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,6 +21,8 @@ import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Tests for error page that permits access to all with a custom servlet path. * @@ -48,7 +50,7 @@ class CustomServletPathUnauthenticatedErrorPageTests extends AbstractUnauthentic requests.requestMatchers("/public/**").permitAll(); requests.anyRequest().authenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/ErrorPageTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/ErrorPageTests.java index 24fb0c08eb..d1a7dea549 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/ErrorPageTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/ErrorPageTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,6 +22,8 @@ import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Tests to ensure that the error page is accessible only to authorized users. * @@ -47,7 +49,7 @@ class ErrorPageTests extends AbstractErrorPageTests { requests.requestMatchers("/public/**").permitAll(); requests.anyRequest().fullyAuthenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); http.formLogin((form) -> form.loginPage("/login").permitAll()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/NoSessionErrorPageTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/NoSessionErrorPageTests.java index b3ce51683a..eb98e167a2 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/NoSessionErrorPageTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/NoSessionErrorPageTests.java @@ -23,6 +23,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Tests for error page when a stateless session creation policy is used. * @@ -49,7 +51,7 @@ class NoSessionErrorPageTests extends AbstractErrorPageTests { requests.requestMatchers("/public/**").permitAll(); requests.anyRequest().authenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/SampleWebSecureApplicationTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/SampleWebSecureApplicationTests.java index 1b40843a5c..8930c363a9 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/SampleWebSecureApplicationTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/SampleWebSecureApplicationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,6 +39,7 @@ import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; import static org.assertj.core.api.Assertions.assertThat; +import static org.springframework.security.config.Customizer.withDefaults; /** * Basic integration tests for demo application. @@ -95,13 +96,13 @@ class SampleWebSecureApplicationTests { @Bean SecurityFilterChain configure(HttpSecurity http) throws Exception { - http.csrf().disable(); + http.csrf((csrf) -> csrf.disable()); http.authorizeHttpRequests((requests) -> { requests.requestMatchers("/public/**").permitAll(); requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll(); requests.anyRequest().fullyAuthenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); http.formLogin((form) -> form.loginPage("/login").permitAll()); return http.build(); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/UnauthenticatedErrorPageTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/UnauthenticatedErrorPageTests.java index 17f88761ec..7e3feeb8d3 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/UnauthenticatedErrorPageTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/UnauthenticatedErrorPageTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,6 +22,8 @@ import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Tests for error page that permits access to all. * @@ -48,7 +50,7 @@ class UnauthenticatedErrorPageTests extends AbstractUnauthenticatedErrorPageTest requests.requestMatchers("/public/**").permitAll(); requests.anyRequest().authenticated(); }); - http.httpBasic(); + http.httpBasic(withDefaults()); return http.build(); }