Spring Boot Security: The WebSecurityConfigurerAdapter is not the case anymore
220402 – 220523
Take care, when you want to customize your security configuration using the latest versions of Spring Boot.
Intro
Using a Custom Security Configuration class based on WebSecurityConfigurerAdapter (extending it) should not be a case for you anymore. This is because the WebSecurityConfigurerAdapter has been deprecated since Spring Security 5.7.0-M2.
Here we show how to continue working with the WebSecurityConfigurerAdapter using the latest versions of Spring Boot, without annoying warnings (curly yellow underlines).
Spring Boot project via Spring Initializr
Following the steps to initiate a new Spring Boot project using the Spring iintializr, you are prompted to select one of the versions presented (with radio buttons).
Also, the version marked as the latest built release is preselected for you. (On the date I was writing this post -May 23, 2022, it was 2.7.0, as you can see).
The preselected (latest) version, is being preceded by the latest built snapshot and the latest built prerelease. It is also followed by the 2 most recent updates of the 2 previous releases.
Nothing wrong with that. This is as it should be, and it help people to use the preselected options to start building their projects asap.
The problem
Then, when, later on, you decide to add some custom security configuration to your project, what you probably do, is to add into your pom.xml file the spring-boot-starter-security dependency.
Moreover, most probably again, you will start configuring your custom configuration by adding a custom security configuration class that extends the WebSecurityConfigurerAdapter, following the dozens of examples of the existing posts. And this is when you get informed by your IDE, that “The type WebSecurityConfigurerAdapter is deprecated”:
Don’t panic. This is just a warning! Your app will be compiled OK. However, you should have been aware of that, since there is an announcement posted in the official Spring Blog, on Feb 21 this year (2022):
You can see be also informed about that in the official documentation of the WebSecurityConfigurerAdapter:
The solution
What is appropriate for you to do, is to start following the guidelines and examples provided by the official documentation that encourages us to start using/registering SecurityFilterChain beans, (and indeed, this is what you should do sooner or later).
However, if you wish to take your time to proceed with the new approaches, sticking for a while with the WebSecurityConfigurerAdapter, and also you don’t like seeing the warning curly yellow underlines, then here is a quick solution, by adding an earlier suitable version for the spring-security dependency in the properties section of your pom.xml:
That’s it! After your IDE finished syncing for the changes of the pom.xml file, the warning curly yellow underlines are disappeared!
[See here the official documentation]
What is behind
Finally, below there is a short tour of how a Spring Boot version is related to Spring version and the Spring Security version.
First of all, pay attention that the Spring Framework (spring.core) versions are different from those of the spring.security versions – they do not use the same versions. For instance the current spring.core version is 5.3.20 and the spring.security (spring-security-core) version is 5.7.1.
The spring-boot-starter and its selected version is the default parent version of the rest of the spring-boot-starter packages, so there is no need to add it explicitly. Going to the latest release version of the Spring Boot Starter (2.7.0 here) you can see that it depends on the spring.core version 5.3.20
Also, note that the spring-boot-starter-security dependency actually encapsulates the spring security dependencies::
– spring-security-core: Implements the core features of Spring Security
– spring-security-config: Provides the Spring Security namespace
– spring-security-web: Provides filters and other features needed to secure web applications
Moreover, if you look at the Spring Boot Starter Sehttps://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security/2.7.0curity (spring-boot-starter-security which you have added without version in your pom.xml file) you can see that it depends of 2 other dependencies that the require the spring.security version 5.7.1
Here we are: The inherited version of the spring-boot-starter-security is 2.7.0 which though, depends on the spring.security 5.7.1, is a version greater than the 5.7.0 from which afterward the WebSecurityConfigurerAdapter has been deprecated.
Takeaways
What we’ve seen here is also a good start for digging deeper in Spring, Spring Boot, and dependency versions, and how to use them in your pom.xml file.
So, that’s it!
Thanx for reading!!
Amazing!