Spring Security 6.0 or Deprecated WebSecurityConfigurerAdapter

In Spring Security 6.0, many methods and classes have been deprecated. Let's look at the main deprecated elements:

Deprecated Methods

• authorizeHttpRequests() - Use authorizeHttpRequests(Customizer) instead

• antMatchers() - Use requestMatchers() which supports URLs, regex, and path patterns

• anonymous() - Use anonymous(Customizer)

• formLogin() - Use formLogin(Customizer)

• httpBasic() - Use httpBasic(Customizer)

Deprecated Classes

• WebSecurityConfigurerAdapter - Use component-based configuration instead

• Classes related to method security:

  • @EnableGlobalMethodSecurity - Use @EnableMethodSecurity

  • MethodSecurityMetadataSourceBeanDefinitionParser

Annotation Interfaces

• @EnableGlobalMethodSecurity - Use @EnableMethodSecurity instead

Deprecated Constructors

Some constructors have been deprecated in favor of new ones.

Deprecated Fields

Some fields have been deprecated, for example:

• AUTHORIZATION_TYPE_PASSWORD in AuthorizationGrantType

Reasons for Deprecation

The main reasons for deprecation are:

• Providing a more flexible and extensible API

• Moving to a component-based configuration instead of extending base classes

• Improving security and removing insecure options

Sources:

• https://docs.spring.io/spring-security/site/docs/current/api/deprecated-list.html

• https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

• https://spring.io/guides/gs/securing-web/

• stackoverflow.com/questions/74683225/updati..