Spring Security 6.0 or Deprecated WebSecurityConfigurerAdapter

Spring Security 6.0 or Deprecated WebSecurityConfigurerAdapter

In Spring Security 6.0, many methods and classes have been deprecated. Let's look at the main deprecated elements:

Deprecated Methods

  • authorizeHttpRequests() - Use authorizeHttpRequests(Customizer) instead

  • antMatchers() - Use requestMatchers() which supports URLs, regex, and path patterns

  • anonymous() - Use anonymous(Customizer)

  • formLogin() - Use formLogin(Customizer)

  • httpBasic() - Use httpBasic(Customizer)

Deprecated Classes

  • WebSecurityConfigurerAdapter - Use component-based configuration instead

  • Classes related to method security:

    • @EnableGlobalMethodSecurity - Use @EnableMethodSecurity

    • MethodSecurityMetadataSourceBeanDefinitionParser

Annotation Interfaces

  • @EnableGlobalMethodSecurity - Use @EnableMethodSecurity instead

Deprecated Constructors

Some constructors have been deprecated in favor of new ones.

Deprecated Fields

Some fields have been deprecated, for example:

  • AUTHORIZATION_TYPE_PASSWORD in AuthorizationGrantType

Reasons for Deprecation

The main reasons for deprecation are:

  • Providing a more flexible and extensible API

  • Moving to a component-based configuration instead of extending base classes

  • Improving security and removing insecure options