springspring-securityspring-kotlin

Spring in Kotlin: from 5.3 to 6.0 security Configuration

I'm facing lots of issues in doing Spring security configurations that I used to have in v5.3 applied in v6.

This is the file I had

@Configuration
@EnableWebSecurity
class WebSecurityConfiguration : WebSecurityConfigurerAdapter() {

    @Autowired
    lateinit var service: UserService

    /**
     * Will be resolved into: WebSecurityEntryPoint injected instance.
     */
    @Autowired
    lateinit var unauthorizedHandler: AuthenticationEntryPoint

    @Autowired
    lateinit var successHandler: WebSecurityAuthSuccessHandler

    @Autowired
    override fun configure(auth: AuthenticationManagerBuilder) {
        auth.authenticationProvider(authenticationProvider())
    }

    override fun configure(http: HttpSecurity?) {
        http
                ?.csrf()?.disable()
                ?.exceptionHandling()
                ?.authenticationEntryPoint(unauthorizedHandler)
                ?.and()
                ?.authorizeRequests()
                /**
                 * Access to Notes and Todos API calls is given to any authenticated system user.
                 */
                ?.antMatchers("/notes")?.authenticated()
                ?.antMatchers("/notes/**")?.authenticated()
                ?.antMatchers("/todos")?.authenticated()
                ?.antMatchers("/todos/**")?.authenticated()
                /**
                 * Access to User API calls is given only to Admin user.
                 */
                ?.antMatchers("/users")?.hasAnyAuthority("ADMIN")
                ?.antMatchers("/users/**")?.hasAnyAuthority("ADMIN")
                ?.and()
                ?.formLogin()
                ?.successHandler(successHandler)
                ?.failureHandler(SimpleUrlAuthenticationFailureHandler())
                ?.and()
                ?.logout()
    }

    @Bean
    fun authenticationProvider(): DaoAuthenticationProvider {
        val authProvider = DaoAuthenticationProvider()
        authProvider.setUserDetailsService(service)
        authProvider.setPasswordEncoder(encoder())
        return authProvider
    }

    @Bean
    fun encoder(): PasswordEncoder = BCryptPasswordEncoder(11)

    @Bean
    fun accessDecisionManager(): AccessDecisionManager {
        val decisionVoters = Arrays.asList(
                WebExpressionVoter(),
                RoleVoter(),
                AuthenticatedVoter()
        )
        return UnanimousBased(decisionVoters)
    }

}

I used the documentation in Spring.io

https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

and I'm just hitting the wall since then. their documentation is not helpful and the new dependencies aren't working the same. how can this be done now?

P.S: I often keep getting this error:

Caused by: java.lang.ClassNotFoundException: org.springframework.security.core.context.DeferredSecurityContext

which i couldn't find anywhere

Solution

  • Okey... I managed to solve it this way first I had to add the security dependency for v6 implementation("org.springframework.security:spring-security-core:6.0.1")

    and I made the Security Configuration this way

    @Configuration
@EnableWebSecurity
class SecurityConfiguration(
    private val userService: UserService,
    private val unauthorizedHandler: AuthenticationEntryPoint,
    private val successHandler: WebSecurityAuthSuccessHandler
) {

    /**
     * Will be resolved into: WebSecurityEntryPoint injected instance.
     */
    @Bean
    fun myPasswordEncoder(): PasswordEncoder {
        return BCryptPasswordEncoder(11)
    }

    @Primary
    fun configureAuthentication(auth: AuthenticationManagerBuilder): AuthenticationManagerBuilder {
        return auth.authenticationProvider(authenticationProvider())
    }


    @Bean
    fun authenticationProvider(): DaoAuthenticationProvider {
        val authProvider = DaoAuthenticationProvider()
        authProvider.setUserDetailsService(userService)
        authProvider.setPasswordEncoder(myPasswordEncoder())
        return authProvider
    }

    @Bean
    fun accessDecisionManager(): AccessDecisionManager {
        val decisionVoter = listOf(
            WebExpressionVoter(),
            RoleVoter(),
            AuthenticatedVoter()
        )
        return UnanimousBased(decisionVoter)
    }

    @Bean
    fun configureHttpSecurity(httpSecurity: HttpSecurity): SecurityFilterChain {
         httpSecurity
             .csrf().disable()
             .exceptionHandling()
             .authenticationEntryPoint(unauthorizedHandler)
             .and()
             .authorizeHttpRequests()
             /**
              * Access to Notes and Todos API calls is given to any authenticated system user.
              */
             .requestMatchers("/notes").authenticated()
             .requestMatchers("/notes/**").authenticated()
             .requestMatchers("/todos").authenticated()
             .requestMatchers("/todos/**").authenticated()
             /**
              * Access to User API calls is given only to Admin user.
              */
             .requestMatchers("/users").hasAnyAuthority("ADMIN")
             .requestMatchers("/users/**").hasAnyAuthority("ADMIN")
             .and()
             .formLogin()
             .successHandler(successHandler)
             .failureHandler(SimpleUrlAuthenticationFailureHandler())
             .and()
             .logout()
        return httpSecurity.build()
    }

}