Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

Spring Class Version Mismatch: Fixing 'class file has wrong version' Error

Spring Security 6 Migration: Replacing Removed and Deprecated Functionality

Spring Boot 3 OpenAPI/Swagger Integration

Spring Security 6 JWT Configuration

Spring RestClient Timeout Configuration

Spring Security authorizeRequests Deprecation

Problem Statement

In recent Spring Security updates (especially versions 6+), the traditional authorizeRequests() method and antMatchers() have been deprecated. Developers upgrading to Spring Boot 3.x encounter errors when configuring security rules, as shown in this typical security configuration:

java
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable().authorizeHttpRequests(authorize -> authorize
                    .requestMatchers("/", "/login", /signup", "/logout").permitAll()
                    .requestMatchers("/api").hasRole("ADMIN")
                    .requestMatchers("/user").hasRole("USER")
                    .anyRequest().authenticated())
        // ... additional configuration
    return http.build();
}

Key Issues

  • authorizeRequests() produces deprecation warnings
  • antMatchers() is no longer available
  • Configuration syntax fails with newer Spring Security versions

This migration is required due to Spring Security's shift to a more type-safe, lambda-based DSL promoting clearer authorization rules.

Solution: Modern Configuration Pattern

For Spring Boot 3.1+ and Spring Security 6.x+, use the lambda-style configuration with requestMatchers() instead of antMatchers(). Here's how to implement authorization rules correctly:

Updated Security Configuration

java
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .csrf(csrf -> csrf.disable())
        .cors(cors -> cors.disable())
        .authorizeHttpRequests(authz -> authz
            .requestMatchers("/", "/login", "/signup", "/logout").permitAll()
            .requestMatchers("/api").hasRole("ADMIN")
            .requestMatchers("/user").hasRole("USER")
            .anyRequest().authenticated()
        )
        .formLogin(form -> form
            .loginPage("/login")
            .loginProcessingUrl("/login")
            .defaultSuccessUrl("/user")
            .failureUrl("/login?error")
        )
        .logout(logout -> logout
            .logoutUrl("/logout")
            .logoutSuccessUrl("/")
        );
    return http.build();
}

Essential Changes Explained

  1. Lambda Configuration

    • Replace chain-style .cors().disable() with lambda: .cors(cors -> cors.disable())
    • Use lambda for all configuration blocks (csrf, formLogin, logout)

  2. Authorization

    • authorizeHttpRequests() replaces deprecated methods
    • requestMatchers() defines URL-specific rules
    • Method chaining occurs inside the lambda expression

  3. Role Definitions

    • Use hasRole() without "ROLE_" prefix (automatically handled)
    • Multiple patterns per requestMatchers() are comma-separated

Advanced Configuration Examples

Stateless REST API Configuration

java
http
    .securityMatcher("/api/**")
    .authorizeHttpRequests(authz -> authz
        .requestMatchers("/api/admin/**").hasRole("ADMIN")
        .requestMatchers("/api/**").authenticated()
    )
    .httpBasic(httpbc -> httpbc
        .authenticationEntryPoint(customAuthEntryPoint)
    )
    .sessionManagement(smc -> smc
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    );

Permitting Access to Specific Paths

java
http.authorizeHttpRequests(authz -> authz
    .requestMatchers("/public/**").permitAll()
    .requestMatchers("/admin/**").hasAuthority("ROLE_ADMIN")
    .anyRequest().denyAll()
);

Important Version Differences

  • Spring Boot 3.0: Uses authorizeHttpRequests() without lambda syntax
  • Spring Boot 3.1+: Requires lambda-style configuration shown above

Key Migration Considerations

  1. Method Access Rules

    java
    // OLD (deprecated)
.authorizeRequests().antMatchers("/admin").hasRole("ADMIN")

// NEW
.authorizeHttpRequests(authz -> authz.requestMatchers("/admin").hasRole("ADMIN"))

  2. Endpoint Authorization

    • Resource-based checking moves from antMatchers() to requestMatchers()
    • Precedence matters: Define specific rules before general ones

  3. Authentication Methods

    • Form login, HTTP Basic, and OAuth2 all use lambda configuration
    • Use httpBasic(Customizer.withDefaults()) for default settings

Best Practices

  1. Enable Method Security
    Add @EnableMethodSecurity at class level:

    java
    @Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true)
public class SecurityConfig { ... }

  2. Password Encoding

    java
    @Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

  3. Avoid Deprecated Methods

    • Use AbstractHttpConfigurer::disable for csrf/cors configuration
    • Replace mvcMatchers/antMatchers with requestMatchers

Official Reference

Spring Security 6 Migration Guide

The lambda-based configuration provides clearer security rules and aligns with modern Java practices. The examples in this article can be directly implemented in Spring Boot 3.1+ applications to resolve deprecation warnings while maintaining robust security.