How to migrate deprecated WebSecurityConfigurerAdapter to SecurityFilterChain?

Question

As they describe ushere , the WebSecurityConfigurerAdapter will deprecated in a while.

I try to refactor the implementation of WebSecurityConfigurerAdapter with SecurityFilterChain due to I want to implement an JWT pattern. The main consideration which I faced is that the configure in returns void.

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    CustomAuthenticationFilter customAuthenticationFilter = new CustomAuthenticationFilter(authenticationManagerBean(), accessTokenExpiredInDays, refreshTokenExpiredInDays, jwtSecret);
    customAuthenticationFilter.setFilterProcessesUrl("/api/login");
    http
        .csrf().disable();
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http
        .authorizeRequests()
            .antMatchers("/error").permitAll();
    http
        .authorizeRequests()
            .antMatchers("/api/login/**", "/api/token/refresh/**").permitAll();
    http
        .authorizeRequests()
            .anyRequest().authenticated();
    http
        .addFilter(customAuthenticationFilter);
    http
        .addFilterBefore(new CustomAuthorizationFilter(jwtSecret), UsernamePasswordAuthenticationFilter.class);
}

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception{
    return super.authenticationManagerBean();
}

Answer 1

Note that Spring Security has built-in support for JWT authentication and there is no need to create a custom filter. You can find an example provided by the Spring Security team here .

However, if you do choose to create a custom filter, the recommended way to configure it is by creating a custom DSL .
This is the same way that Spring Security does it internally.

I've rewritten your configuration below using a custom DSL.

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .csrf().disable();
    http
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http
        .authorizeRequests()
        .antMatchers("/error").permitAll();
    http
        .authorizeRequests()
        .antMatchers("/api/login/**", "/api/token/refresh/**").permitAll();
    http
        .authorizeRequests()
        .anyRequest().authenticated();
    // apply the custom DSL which adds the custom filter
    http
        .apply(customDsl());
    http
        .addFilterBefore(new CustomAuthorizationFilter(jwtSecret), UsernamePasswordAuthenticationFilter.class);

    return http.build();
}

public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        AuthenticationManager authenticationManager =
                http.getSharedObject(AuthenticationManager.class);
        CustomAuthenticationFilter filter = 
                new CustomAuthenticationFilter(authenticationManager, accessTokenExpiredInDays, refreshTokenExpiredInDays, jwtSecret);
        filter.setFilterProcessesUrl("/api/login");
        http.addFilter(filter);
    }

    public static MyCustomDsl customDsl() {
        return new MyCustomDsl();
    }
}

This configuration, as well as other examples, are described in the Spring blog post on migrating away from the WebSecurityConfigurerAdapter .