Migrating from a Deprecated autorizeRequests()

In Spring Boot 3, the authorizeRequests() method of the WebSecurityConfigurerAdapter class has been deprecated. This method was previously used to configure the authorization rules for securing web applications.

To secure your application in Spring Boot 3 using Spring Security, you should use the HttpSecurity class and its authorizeHttpRequests() method instead.

You can use the authorizeHttpRequests() method to specify which requests should be authorized and the requestMatchers() method to specify the criteria that a request must meet in order to be authorized.

You might also be interested to learn Migrate from Deprecated WebSecurityConfigurerAdapter.

authorizeHttpRequests() example

Here’s an example of how you can use authorizeHttpRequests() in combination with requestMatchers() :

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;

@Configuration
@EnableWebSecurity
public class WebSecurity {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.authorizeHttpRequests()
        .requestMatchers(new AntPathRequestMatcher("/h2-console/**")).permitAll()
        .anyRequest().authenticated();

         // Other configuration here
        
         return http.build();
    }
    
}

This example specifies that all requests to a /h2-console URL path and all its sub-sources should be allowed.  Notice how the authorizeHttpRequests() method is used with requestMatchers() instead of antMatchers()?

Web Security Expressions

You can also configure HttpSecurity to use Web Security Expressions.

Let’s assume that we need to configure HTTP security to make sure that we only allow requests coming from a specific IP address. To do that, we can use WebExpressionAuthorizationManager class and the hasIpAddress() method.

Notice how in the above code example, I use the access() method and an instance of the WebExpressionAuthorizationManager object that it accepts.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;

@Configuration
@EnableWebSecurity
public class WebSecurity {

    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    
     http.authorizeHttpRequests()
        .requestMatchers(HttpMethod.POST, "/users")
        .access(new WebExpressionAuthorizationManager(
            "hasIpAddress('192.168.0.1')"
            ))
    .requestMatchers("/h2-console/**").permitAll();

         // Other configurations

        
    return http.build();
    }
 
}

The http.authorizeHttpRequests().requestMatchers() method is used to specify a request matcher for HTTP requests. In this case, it specifies that the request matcher should match HTTP POST requests to the /users endpoint.

The access() method is used to specify the authorization rules that should be applied to requests that match the request matcher. In this case, it is using a WebExpressionAuthorizationManager to check whether the client making the request has the IP address provided as a parameter to hasIpAddress() method. If the client has this IP address, they will be authorized to make the request. They will be denied access if they do not have the correct IP address.

This code could be used to restrict access to the /users endpoint to only clients with a specific IP address, possibly as a security measure to prevent unauthorized access to the endpoint.

I hope this tutorial was helpful to you. To learn more, check out the Spring Boot tutorials page.