Getting deprecated warning or issue when extends WebSecurityConfigurerAdapter in Spring Boot. This is because WebSecurityConfigurerAdapter
is no longer recommended. The alternative for this is SecurityFilterChain class.
In this tutorial, you will learn how to remove or resolve the WebSecurityConfigurerAdapter
deprecated warning and instead implement SecurityFilterChain
in your spring boot application.

Bellow are the some warning we get while compiling the project.
Deprecated
Use a org.springframework.security.web.SecurityFilterChain Bean to configure HttpSecurity or a WebSecurityCustomizer Bean to configure WebSecurity
Note: SecurityConfig.java uses or overrides a deprecated API. Note: Recompile with -Xlint:deprecation for details.
Spring Security: Upgrading the deprecated WebSecurityConfigurerAdapter in Spring Boot 2.7.0
Bellow is the Example of WebSecurityConfig.java which i created in my Login Register Example in Spring Boot Tutorial.
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public UserDetailsService userDetailsService() { return new ShopmeUserDetailsService(); } @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/login").permitAll() .antMatchers("/users/**", "/settings/**").hasAuthority("Admin") .hasAnyAuthority("Admin", "USER") .hasAnyAuthority("Admin", "USER") .anyRequest().authenticated() .and().formLogin() .loginPage("/login") .usernameParameter("email") .permitAll() .and() .logout().permitAll(); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/images/**", "/js/**", "/webjars/**"); } }
and bellow is alternative of WebSecurityConfig.java
without extending WebSecurityConfigurerAdapter
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.SecurityFilterChain; @Configuration public class SecurityConfiguration { @Bean public UserDetailsService userDetailsService() { return new ShopmeUserDetailsService(); } @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/login").permitAll() .antMatchers("/users/**", "/settings/**").hasAuthority("Admin") .hasAnyAuthority("Admin", "USER") .hasAnyAuthority("Admin", "USER") .anyRequest().authenticated() .and().formLogin() .loginPage("/login") .usernameParameter("email") .permitAll() .and() .logout().permitAll(); return http.build(); } @Bean public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring().antMatchers("/images/**", "/js/**", "/webjars/**"); } }
Optional Part (Incase you have implemented then): If you are using AuthenticationManger Bean.
@Bean public AuthenticationManager authenticationManager( AuthenticationConfiguration authConfig) throws Exception { return authConfig.getAuthenticationManager(); }
Optional Part (Incase you have implemented then): If you are using DaoAuthenticationProvider
Bean.
@Bean public DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); authProvider.setUserDetailsService(userDetailsService()); authProvider.setPasswordEncoder(passwordEncoder()); return authProvider; }
and add this authentication provider for HttpSecurity in the code of SecurityFilterChain as follows:
http.authenticationProvider(authenticationProvider());
Bellow is full file example from my Login Register for Spring Tutorial
package com.example.demo.config; import com.example.demo.service.UserServiceImpl; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @Configuration @EnableWebSecurity public class WebSecurityConfig { @Autowired private CustomLoginSucessHandler sucessHandler; @Bean public UserDetailsService userDetailsService() { return new UserServiceImpl(); } @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception { return authConfig.getAuthenticationManager(); } @Bean public DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); authProvider.setUserDetailsService(userDetailsService()); authProvider.setPasswordEncoder(passwordEncoder()); return authProvider; } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeRequests() // URL matching for accessibility .antMatchers("/", "/login", "/register").permitAll() .antMatchers("/admin/**").hasAnyAuthority("ADMIN") .antMatchers("/account/**").hasAnyAuthority("USER") .anyRequest().authenticated() .and() // form login .csrf().disable().formLogin() .loginPage("/login") .failureUrl("/login?error=true") .successHandler(sucessHandler) .usernameParameter("email") .passwordParameter("password") .and() // logout .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessUrl("/") .and() .exceptionHandling() .accessDeniedPage("/access-denied"); http.authenticationProvider(authenticationProvider()); http.headers().frameOptions().sameOrigin(); return http.build(); } @Bean public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring().antMatchers("/images/**", "/js/**", "/webjars/**"); } }
Find this on Github