Lab: Major Release Considerations ‐ 3: Update to Security Filter Chain - shinyay/spring-boot-2-7-to-3-1-upgrade GitHub Wiki

3: Update to Security Filter Chain So, we know the base class, WebSecurityConfigurerAdapter, has been deprecated.

You no longer need to extend from this class. It can be replaced with an @Bean definition.

Remove extends WebSecurityConfigurerAdapter.

Let's start by opening the SecurityConfig class and removing the unneeded extends.

extends WebSecurityConfigurerAdapter public class SecurityConfig { ... } Delete the configure method.

The configure() method should now indicate that it's not overriding a corresponding method in the super class, because there's no super class anymore.

// DELETE the entire configure method! @Override protected void configure(HttpSecurity http) throws Exception { http. authorizeRequests((authz) -> authz .antMatchers("/cashcards/").hasRole("CARD-OWNER") .antMatchers("/h2-console/").permitAll() ) .csrf().disable() .httpBasic(withDefaults()); } Now, you'll replace the configure method with the corresponding @Bean definition.

Add the SecurityFilterChain bean.

The former function of the configure method is now handled by a SecurityFilterChain bean.

@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests() .antMatchers("/cashcards/").hasRole("CARD-OWNER") .antMatchers("/h2-console/").permitAll() .and() .csrf().disable() .httpBasic(withDefaults()); return http.build(); } Don't forget to add the import for SecurityFilterChain:

import org.springframework.security.web.SecurityFilterChain; While you're at it, delete the import for WebSecurityConfigurerAdapter:

// Delete this import statement import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; Compile the code

Now is a good time to Compile the code again.

[~/exercises] $ ./mvnw clean compile It still compiles, but we continue to see some deprecations messages in the output:

... [INFO] /course-spring-boot-2-7-to-3-1-upgrade-code/src/main/java/example/cashcard/SecurityConfig.java: /course-spring-boot-2-7-to-3-1-upgrade-code/src/main/java/example/cashcard/SecurityConfig.java uses or overrides a deprecated API. Update our notes.

Before we move on, let's note the change in the upgrade-notes.md file.

  • Replace WebSecurityConfigurerAdapter super class with SecurityFilterChain bean definition