javaspringspring-boot

Deprecated .csrf() and .requiresChannel() methods after Spring Boot v3 migration

I tried to migrate an older project to the newest version of Spring Boot a.k.a 3.1.2, as we speak. However, the .csrf() and .requiresChannel() methods of the below piece of code no longer work because of deprecations.

I can't find the methods that have replaced them. Can you help?

@Configuration
@EnableWebSecurity
public class ApplicationSecurityConfig {

    private final ApplicationUserService applicationUserService;

    private final BCryptPasswordEncoder bCryptPasswordEncoder;

    public ApplicationSecurityConfig(
            ApplicationUserService applicationUserService,
            BCryptPasswordEncoder bCryptPasswordEncoder) {
        this.applicationUserService = applicationUserService;
        this.bCryptPasswordEncoder = bCryptPasswordEncoder;
    }

    @Bean
    protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .requiresChannel()
                    .antMatchers("/actuator/**")
                    .requiresInsecure()
                .and()
                .authorizeRequests()
                    .antMatchers(
                            "/api/v*/registration/**",
                            "/register*",
                            "/login",
                            "/actuator/**").permitAll()
                    .anyRequest()
                    .authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .usernameParameter("email")
                    .permitAll()
                    .defaultSuccessUrl("/",true)
                    .failureUrl("/login-error")
                .and()
                .logout()
                    .logoutUrl("/logout")
                    .clearAuthentication(true)
                    .invalidateHttpSession(true)
                    .deleteCookies("JSESSIONID","Idea-2e8e7cee")
                    .logoutSuccessUrl("/login");

        return http.build();
    }

    @Bean
    public AuthenticationManager authenticationManager(
            AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider provider =
                new DaoAuthenticationProvider();
        provider.setPasswordEncoder(bCryptPasswordEncoder);
        provider.setUserDetailsService(applicationUserService);
        return provider;
    }
}
Solution

  • The implementation of filterChain will have next one body, but for more details and more information why so. you must have a look to Migration Guide it is about Configuration steps also about overall changes you can find out here Servlet Migration

      @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.csrf(AbstractHttpConfigurer::disable);
    http.requiresChannel(c -> c.requestMatchers("/actuator/**").requiresInsecure());
    http.authorizeHttpRequests(request -> {
              request.requestMatchers(
              "/api/v*/registration/**",
              "/register*",
              "/login",
              "/actuator/**").permitAll();
              request.anyRequest().authenticated();
        });
    http.formLogin(fL -> fL.loginPage("/login")
            .usernameParameter("email").permitAll()
            .defaultSuccessUrl("/", true)
            .failureUrl("/login-error"));
    http.logout(logOut -> logOut.logoutUrl("/logout")
            .clearAuthentication(true)
            .invalidateHttpSession(true)
            .deleteCookies("JSESSIONID","Idea-2e8e7cee")
            .logoutSuccessUrl("/login"))

    return http.build();
  }