Configure WebSecurity using WebSecurityCustomizer

[eleftherias]

In Spring Security 5.4 we introduced the WebSecurityCustomizer to allow customizing WebSecurity without needing the WebSecurityConfigurerAdapter.

Any customizations to WebSecurity should be done by exposing a WebSecurityCustomizer bean.

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
	return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
}

See #22739 (comment) for more details around removing the use of WebSecurityConfigurerAdapter.

[wilkinsona]

Thanks, @eleftherias.

As far as I can tell, all of the WebSecurityConfigurerAdapter sub-classes that we have are configuring HttpSecurity rather than WebSecurity. Am I right in thinking that those should stay as they are?

We do have one WebSecurityConfigurer implementation. Should that be migrated to a WebSecurityCustomizer?

[eleftherias]

@wilkinsona Yes, the WebSecurityConfigurer should be migrated to a WebSecurityCustomizer.

We also recommend eventually migrating all of the WebSecurityConfigurerAdapter sub-classes that we have are configuring HttpSecurity, since using the SecurityFilterChain bean will be the recommended approach to configure HttpSecurity going forward.