What's new in Spring Security 6

This article discusses the new features of Spring Security 6. If you haven't heard yet, Spring Boot 3.0 has been released, and if you include Spring Security as a dependency, you will now get Spring Security Version 6. In this blog post, we will delve into three important changes in Spring Security 6 and create a new Spring Boot 3 project together.

Prerequisites

  • Make sure you're using Java 17, as the baseline for Spring Boot 3 and Spring Security 6 is Java 17.
  • Head over to start.spring.io to create a new Spring Boot 3 project with the Spring Security dependency.

Spring Initalizr

WebSecurityConfigurerAdapter Removed

In previous versions of Spring Security, you had to extend the WebSecurityConfigurerAdapter class to configure security settings. This class has been deprecated and removed in Spring Security 6. Instead, you should now take a more component-based approach and create a bean of type SecurityFilterChain. Here's an example:

@EnableWebSecurity
@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.build();
    }
}

Authorize Http Requests

Instead of using authorizeRequests, which has been deprecated, you should now use authorizeHttpRequests. This method is part of the HttpSecurity configuration and allows you to configure fine-grained request matching for access control. Here's an example of how to use authorizeHttpRequests:

@EnableWebSecurity
@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.authorizeHttpRequests(auth -> auth
            .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .anyRequest().authenticated())
            .formLogin();
            .build();
    }
}

In this example, we allow access to static resources, while requiring authentication for all other requests. If the syntax looks unfamiliar, this is because it is the Lambda DSL configuration. I have also written a tutorial on this, which can be found at here.

RequestMatchers Replacing AntMatcher, MvcMatcher, and RegexMatcher

In Spring Security 6, AntMatcher, MvcMatcher, and RegexMatcher have been deprecated and replaced by requestMatchers or securityMatchers for path-based access control. This allows you to match requests based on patterns or other criteria without relying on specific matchers.

Here's an example that permits access to the /greet endpoint without authentication while requiring authentication for all other requests:

@EnableWebSecurity
@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.authorizeHttpRequests(auth -> auth
            .requestMatchers("/greet").permitAll()
            .anyRequest().authenticated())
            .formLogin()
            .build();
    }
}

Now, if you run your application and try to access the /greet endpoint, you should see that you can access it without needing to log in. However, if you try to access any other endpoint, you'll be prompted to log in.

Wrapping Up

I hope you found this overview of the important changes in Spring Security 6 helpful. Remember to go through the release notes for Spring Security 6, as there are many breaking changes and new features that you should be aware of. If you have questions about any of these changes or need help with your application, feel free to reach out.

As always, happy coding, friends!
Dan

Subscribe to my newsletter.

Sign up for my weekly newsletter and stay up to date with current blog posts.

Weekly Updates
I will send you an update each week to keep you filled in on what I have been up to.
No spam
You will not receive spam from me and I will not share your email address with anyone.