Spring Security Spring-boot-starter-web migrate from 1.2.5 to 1.3.2.RELEASE

Question

I use spring security for my application. Up to now I used

org.springframework.boot spring-boot-starter-web 1.2.5 RELEASE

now I want to use

org.springframework.boot spring-boot-starter-web 1.3.2 RELEASE

My SecurityConfiguration.java looks like this:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private UserDetailsService userService;

@Autowired
public void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/login.html")
            .failureUrl("/login.html?error").defaultSuccessUrl("/index", true).permitAll().and().logout()
            .logoutSuccessUrl("/logout.html").permitAll().and().csrf().disable();
 }
}

One of my rest services looks like this:

@RequestMapping("/test")
@PreAuthorize("hasRole('ADMIN')")
public List<Tests> getTests() {
    return ...
}

The old version works. With the newer version I get a 403 forbidden if I try to call the rest service. Does anyone know how to get this to work again?

Answer 1

When upgrading from 1.2.5 to 1.3.2 you also update spring-security from 3.X to 4.X.

You can override spring security dependency in your own project to keep previous version of spring-security. (I don't think that it is recommended, at least you will see a warning at startup)

Alternatively, you can read carefully the documentation bellow and perform all necessary configuration update when moving from spring-security 3.X to 4.X

Migration from spring security 3 to 4 (xml config)

Migration from spring security 3 to 4 (java config)