I am in the middle of process of mirgation my Spring Security Configuration from WebSecurityConfigurerAdapter (deprecated) to configuration with beans.
My config class now looks like
@EnableWebSecurity
public class Config {
@Bean
protected SecurityFilterChain configure(HttpSecurity http) throws Exception {
return http.build();
}
}
I understand that this configuration doesn't make any behavior settings, but shouldn't it return a SecurityFilterChain bean that will act like the default SecurityFilterChain (as if no configuration was specified)? When I start my app no controllers are secured.
To add security rules and form for endpoints simply add .authorizeRequests() block:
@Configuration
public class Config {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/unprotected", "/endpoints/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
return http.build();
}
}
Also read Spring Security without the WebSecurityConfigurerAdapter