Configure Spring Security to use SecurityFilterChain and Spring Security Lambda DSL

In the previous post, I showed you how to configure Spring Security using the WebSecurityConfigurerAdapter class. From Spring Security version 6.x onwards, Spring removed this class and recommends configuring Spring Security with a bean of SecurityFilterChain and Spring Security Lambda DSL. How is it in detail? In this tutorial, we will find out together!

I will clone the example project in the previous post to compare the difference between the two solutions!

Spring MVC and Spring Security dependencies, I will upgrade to the latest version as follows:

with properties version as follows:

Now, you will see that the WebSecurityConfigurerAdapter class no longer exists:

Now we will replace it with SecurityFilterChain and Spring Security Lambda DSL!

The main class that we will work with is SpringSecurityConfiguration, I will remove all unnecessary code, only annotate this class with the @EnableWebSecurity annotation and the @Configuration annotation as follows:

Now we will configure the authorization part to use the SecurityFilterChain class with the HttpSecurity class first.
I will declare the following:

As you can see, I use another method of the HttpSecurity class to configure the permission to access the application’s request URLs, the authorizeHttpRequests() method. There is another overloading of this method that takes no parameters to apply the default configurations that Spring Security provides, but now it has been deprecated!

The parameter of the authorizeHttpRequests() method in this example is the Customizer interface defined with a generic type so that we can configure this authorization part to our liking.

The Customizer interface is a Functional Interface, so we can use Java Lambda Expression to write code for this method. Spring calls this writing as Lambda DSL. In short, Spring supports Lambda DSL to make our code easier to read, we don’t need to use and() method to configure different parts of Spring Security anymore.

The type of the Customizer interface for this authorization is the AuthorizationManagerRequestMatcherRegistry class that defines the request URL information and which roles are allowed to access.

The formLogin() method also supports Lambda DSL, allowing us to configure the login page, using Spring Security’s default (withDefaults() method) or you can also customize it to your liking. The type of the Customizer interface in this case is the FormLoginConfigurer class.

For the management of user login information in the application, you can declare a bean of the InMemoryUserDetailsManager class to add user information in memory, as follows:

To ignore security for requests to application resources, we can declare a bean of the WebSecurityCustomizer class with the following configuration example:

WebSecurityCustomizer is a Functional Interface with a method customize(). The parameter of this method is the WebSecurity class so we can define the resource that we want to ignore!

At this point, we have finished configuring Spring Security using SecurityFilterChain and Lambda DSL.

To make the application compileable, please replace the import statements in the AppInitializer class to use the Jakarta EE package instead of Java EE!

Then, run the example again and you will see that everything is the same as we did in the tutorial Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer

5/5 - (3 votes)

Add Comment