Search code examples
spring-bootspring-security

'authorizeExchange()' is deprecated since version 6.1 and marked for removal

I have the following Spring Security configuration:

@Bean
public SecurityWebFilterChain springSecurityFilterChain (ServerHttpSecurity http) {

    http.csrf().disable()
            .authorizeExchange()
            .pathMatchers("/api/**")
            .permitAll()
            .anyExchange()
            .authenticated()
            .and()
            .oauth2Login(); // to redirect to oauth2 login page.
    http.cors().configurationSource(request-> {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000");
        configuration.setAllowedMethods(Arrays.asList("GET","POST", "OPTIONS"));
        configuration.setAllowedHeaders(List.of("*"));
        return configuration;
    });
    return http.build();
}

I get multiple errors in Spring Cloud 2023.0.1:

'csrf()' is deprecated since version 6.1 and marked for removal 
'authorizeExchange()' is deprecated since version 6.1 and marked for removal 
'and()' is deprecated since version 6.1 and marked for removal 
'oauth2Login()' is deprecated since version 6.1 and marked for removal 
'cors()' is deprecated since version 6.1 and marked for removal

I tried to migrate the code this way:

    http.csrf(CsrfConfigurer::disable)       
             .authorizeExchange((authz) -> authz
                .pathMatchers("/")
                     .permitAll()
                     .anyExchange()
                     .authenticated()
                     .and()
                     .oauth2Login() // to redirect to oauth2 login page.
             );
        http.cors().configurationSource(request-> {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000");
        configuration.setAllowedMethods(Arrays.asList("GET","POST", "OPTIONS"));
        configuration.setAllowedHeaders(List.of("*"));
        return configuration;
    });

I get:

CsrfConfigurer::disable -> Non-static method cannot be referenced from a static context
'oauth2Login()' is deprecated since version 6.1 and marked for removal

Do you know what is the proper way to migrate the code?

Solution

    • .csrf().disable() => .csrf(ServerHttpSecurity.CsrfSpec::disable) or you could do .csrf( csrfSpec -> csrfSpec.disable())

    • .oauth2Login() => Just use the default Customizer or use a custom one.

    Customizer.withDefaults() enables a security feature using the defaults provided by Spring Security. This is a shortcut for the lambda expression it → {}.

    • cors().configurationSource(...) again, configure cors via a lambda expression .cors(cors -> cors.configurationSource(....))

    Result:

    import org.springframework.security.config.Customizer;
import org.springframework.security.config.web.server.ServerHttpSecurity;


@Bean
public SecurityWebFilterChain springSecurityFilterChain (ServerHttpSecurity http) {
  return http.csrf(ServerHttpSecurity.CsrfSpec::disable)
             .oauth2Login(Customizer.withDefaults())
             .authorizeExchange( auth -> /* your config */)
             .cors(cors -> cors.configurationSource(customCors()))
             .build(); 

}

CorsConfigurationSource customCors(){
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000");
    configuration.setAllowedMethods(Arrays.asList("GET","POST", "OPTIONS"));
    configuration.setAllowedHeaders(List.of("*"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
}