refactor(spring-security): refactor spring security and spring from 5.x to 6.x with spring boot upgrade to 3.x

j-sandy · j-sandy · commit e5f7c636a416 · 2024-12-27T18:43:55.000+05:30
With spring boot upgrade, spring security also upgrades from 5.x to 6.x. As per the migration [steps](https://www.baeldung.com/spring-security-migrate-5-to-6), `WebSecurityConfigurerAdapter` has been removed. So, it is not required to be extended, instead bean can be registered. `WebMvcConfigurerAdapter` class has been deprecated in Spring 5.0 and subsequently removed from spring 6.0. So, replacing it with `WebMvcConfigurer` interface for direct implementation. https://docs.spring.io/spring-framework/docs/5.0.0.RELEASE/javadoc-api/org/springframework/web/servlet/config/annotation/WebMvcConfigurerAdapter.html
diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java
@@ -36,7 +36,7 @@
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import retrofit2.Retrofit;
@@ -92,10 +92,24 @@ AuthenticationConverter defaultAuthenticationConverter() {
     return new AuthenticatedRequestAuthenticationConverter();
   }
 
+  // Removing bean of WebSecurityConfigurerAdapter, as in spring security 6.0 it is no more
+  // required.
+  // https://github.com/spring-projects/spring-security/pull/11923
+  // https://www.baeldung.com/spring-security-migrate-5-to-6#2-websecurityconfigureradapter
   @Bean
-  FiatWebSecurityConfigurerAdapter fiatSecurityConfig(
-      FiatStatus fiatStatus, AuthenticationConverter authenticationConverter) {
-    return new FiatWebSecurityConfigurerAdapter(fiatStatus, authenticationConverter);
+  public SecurityFilterChain configure(
+      HttpSecurity http, FiatStatus fiatStatus, AuthenticationConverter authenticationConverter)
+      throws Exception {
+    return http.servletApi()
+        .and()
+        .exceptionHandling()
+        .and()
+        .anonymous()
+        .and()
+        .addFilterBefore(
+            new FiatAuthenticationFilter(fiatStatus, authenticationConverter),
+            AnonymousAuthenticationFilter.class)
+        .build();
   }
 
   @Bean
@@ -104,29 +118,4 @@ FiatAccessDeniedExceptionHandler fiatAccessDeniedExceptionHandler(
       ExceptionMessageDecorator exceptionMessageDecorator) {
     return new FiatAccessDeniedExceptionHandler(exceptionMessageDecorator);
   }
-
-  private static class FiatWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
-    private final FiatStatus fiatStatus;
-    private final AuthenticationConverter authenticationConverter;
-
-    private FiatWebSecurityConfigurerAdapter(
-        FiatStatus fiatStatus, AuthenticationConverter authenticationConverter) {
-      super(true);
-      this.fiatStatus = fiatStatus;
-      this.authenticationConverter = authenticationConverter;
-    }
-
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-      http.servletApi()
-          .and()
-          .exceptionHandling()
-          .and()
-          .anonymous()
-          .and()
-          .addFilterBefore(
-              new FiatAuthenticationFilter(fiatStatus, authenticationConverter),
-              AnonymousAuthenticationFilter.class);
-    }
-  }
 }
diff --git a/fiat-web/src/main/java/com/netflix/spinnaker/fiat/config/FiatConfig.java b/fiat-web/src/main/java/com/netflix/spinnaker/fiat/config/FiatConfig.java
@@ -40,12 +40,12 @@
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
 import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @Import({RetrofitConfig.class, PluginsAutoConfiguration.class})
 @EnableConfigurationProperties(FiatServerConfigurationProperties.class)
-public class FiatConfig extends WebMvcConfigurerAdapter {
+public class FiatConfig implements WebMvcConfigurer {
 
   @Autowired private Registry registry;
 
@@ -60,7 +60,6 @@ public void addInterceptors(InterceptorRegistry registry) {
 
   @Override
   public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
-    super.configureContentNegotiation(configurer);
     configurer.favorPathExtension(false).defaultContentType(MediaType.APPLICATION_JSON);
   }
 
