spring-securityspring-authorization-server
How to remove usage of http.apply(new OAuth2AuthorizationServerConfigurer())?
As per the documentation for customizing the configuration. Following can be used:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.registeredClientRepository(registeredClientRepository)
But http.apply() is deprecated (Spring security v6.2) and hence cannot be used. The document is also not updated. How to use http.apply() in such a scenario?
Solution
The example code in the Getting Started section of the Spring Authorization Server documentation invokes:
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
The operations performed by this method includes the effect of:
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
Your security filter chain can invoke the getConfigurer method to get the OAuth2AuthorizationServerConfigurer instance to configure the authorization server:
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.registeredClientRepository(registeredClientRepository)
- Why are there 2 Security Filter Chains defined for my Spring Boot Application?
- Request Matcher not working to permit allowed path
- Spring Security 6 - how to handle InvalidBearerTokenExeption
- problems with custom authentication provider in spring boot 3.3.0
- Spring Security issue with JWT: Cannot subclass final class JwtAuthenticationProvider
- Add JSF Message From Spring Bean
- Handling Internal Server Error When OAuth Issuer Is Not Available in WebFluxSecurity
- How to remove usage of http.apply(new OAuth2AuthorizationServerConfigurer())?
- With deprecation of the `SecurityContextRepository.loadContext(HttpRequestResponseHolder)` method, how do we add `Set-Cookie` to the response?
- Spring Boot + Security + Thymeleaf and CSRF token not injected automatically
- Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
- CSRF token requirement if implemented JWT
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- bean of type 'org.springframework.security.crypto.password.PasswordEncoder' that could not be found
- Spring SecurityContext not available when using parallelStream
- Disabling Basic Auth in Spring Boot 3
- Implement Spring Security with multiple overlapping AuthenticationProvider
- SpringSecurity CSRF protection
- ProviderSettings class not found it says Cannot resolve symbol ProviderSettings
- Why is CSRF protection needed for connecting to websockets if Spring Security implements Same Origin Policy at server level?
- How can I verify a claim from my JWT token with reactive spring security?
- Spring Boot auto login Bad Credentials
- How to bypass keycloak login page and provide client suggested idp with spring security
- How to configure Spring Security to allow GET method for everyone and restrict other methods to specific roles without much boilerplate?
- Migrate org.springframework.security.jwt.Jwt
- Spring Security + Keycloak (with self signed certs) - How do you disable hostname verification?
- Security config error while upgrading version of spring boot application from 2.x.x to 3.3.0
- Access denied even with the AnonymousAuthenticationFilter
- permit for mvc controller in spring security
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD