Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

Spring Security 6 JWT Configuration

Spring Boot 3 OpenAPI/Swagger Integration

Spring Security Request Matchers in Spring Boot 3

Spring Security authorizeRequests Deprecation

Spring Class Version Mismatch: Fixing 'class file has wrong version' Error

Spring Security 6 Migration: Replacing Removed and Deprecated Functionality

Problem Statement

Migrating to Spring Boot 3.0 and Spring Security 6.0 requires significant changes to security configurations. The deprecated authorizeRequests() method and its associated antMatchers() utility—previously used for request authorization—have been removed completely in Spring Security 6. Developers also face removal of the @EnableGlobalMethodSecurity annotation. Attempts to use these will result in compilation errors and broken security configurations.

Solution Overview

Spring Security 6 introduces simplified alternatives that consolidate configuration patterns:

  1. Replace @EnableGlobalMethodSecurity with @EnableMethodSecurity
  2. Migrate from authorizeRequests() to authorizeHttpRequests()
  3. Use requestMatchers() instead of antMatchers()/mvcMatchers()
  4. Update OAuth2 resource server configuration
  5. Adjust CSRF disabling syntax

1. Replace Method Security Annotation

The old annotation triggers errors:

java
// REMOVED IN SPRING SECURITY 6
@EnableGlobalMethodSecurity(prePostEnabled = true)

Replace with the new annotation (prePostEnabled=true is now default):

java
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity  // Correct annotation for Spring Security 6+
public class SecurityConfig {
    // Class body
}

2. Update Request Authorization Configuration

The original deprecated approach:

java
// DEPRECATED APPROACH (Spring Security 5.x)
.authorizeRequests(auth -> auth.antMatchers("/token/**").permitAll())
.authorizeRequests(auth -> auth.anyRequest().authenticated())

Updated configuration for Spring Security 6:

java
.authorizeHttpRequests(auth -> auth
    .requestMatchers("/token/**").permitAll()  // Use requestMatchers()
    .anyRequest().authenticated()
)

3. Update OAuth2 Resource Server Configuration

The original configuration is now deprecated:

java
// DEPRECATED IN SPRING SECURITY 6
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)

Use this configuration instead:

java
.oauth2ResourceServer(oauth2 -> oauth2
    .jwt(jwt -> jwt.withDefaults())  // Updated OAuth2 configuration
)

4. Modernize CSRF Configuration

CSRF disabling syntax should now use:

java
.csrf(AbstractHttpConfigurer::disable)  // Post Spring Security 6.1 update

API Change Note

For Spring Security versions prior to 6.1, use:

java
.csrf(csrf -> csrf.disable())

Complete Updated Configuration

java
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {
    // Constructor and other beans...
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity
            .csrf(AbstractHttpConfigurer::disable)
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/token/**").permitAll()
                .anyRequest().authenticated()
            )
            .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt.withDefaults())
            )
            .httpBasic(withDefaults())
            .build();
    }
    
    // JWT and other beans remain unchanged
}

Explanation of Key Changes

  1. Method-Based Security:
    @EnableMethodSecurity replaces @EnableGlobalMethodSecurity with sensible defaults.

  2. Request Authorization:
    .authorizeHttpRequests() streamlines configuration using requestMatchers() as the unified replacement for antMatchers(), mvcMatchers(), and regexMatchers().

  3. OAuth2 Resource Server:
    The lambda configuration (oauth2 -> oauth2.jwt(...)) future-proofs your implementation against upcoming API changes.

  4. Deprecated CSRF Handling:
    AbstractHttpConfigurer::disable addresses deprecation warnings while maintaining functionality.

Migration Recommendations

  1. Audit all antMatchers(), mvcMatchers(), and regexMatchers() calls—convert them to requestMatchers()
  2. Remove @EnableGlobalMethodSecurity from all configurations
  3. Test authorization rules thoroughly—unexpected permission changes are common during migration
  4. Review custom JWT converters as their declaration syntax may require updates