Spring Security deprecated issue

Question

Trying to configure JWT configuration. Seems like JWT is deprecated. How can I use OAuth2ResourceServerConfigurer::jwt now?

My code:

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
    http.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
    //http.formLogin(withDefaults());
    http.httpBasic(Customizer.withDefaults());
    http.csrf(csrf -> csrf.disable());
    http.headers(headers -> headers.frameOptions(frameOptionsConfig -> frameOptionsConfig.sameOrigin()));
    http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
    return http.build();
}

Also, in Spring Security 6.0, antMatchers() as well as other configuration methods for securing requests (namely mvcMatchers() and regexMatchers()) have been removed from the API.

Answer 1

On Springboot 3.4.2 following worked for me.

oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.decoder(jwtDecoder())))

with

@Bean
public JwtDecoder jwtDecoder() {
 return NimbusJwtDecoder.withJwkSetUri("https://auth-server-url/.well-known/jwks.json").build();
}

Answer 2

Just for the Kotlin devs looking in here

fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http.authorizeHttpRequests { auth ->
            auth.requestMatchers("/myendpoint/**").authenticated()
        }
        .oauth2ResourceServer { oauth2 -> oauth2.jwt(Customizer.withDefaults()) }

        return http.build()
    }

Answer 3

I guess you are looking to configure the Customizer for the various HTTPSecurity settings, you can take a cue from below:

    @Value("${jwksUri}")
    private String jwksUri;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.oauth2ResourceServer( server -> server.jwt(jwtConfigurer -> jwtConfigurer.jwkSetUri(jwksUri)));

        http.oauth2ResourceServer( server -> server.jwt(jwtConfigurer -> jwtConfigurer.decoder( myDecoder )));

        http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated());

        return http.build();

    }

Answer 4

Try this like:

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
            http
                    // Other stuff
                    .oauth2ResourceServer((rs) ->
                            rs.jwt((jwt) ->jwt.decoder(jwtDecoder()))
                    );
            return http.build();
    }

    @Bean
    public JwtDecoder jwtDecoder() {
            // return your JWTdecoder
    }

Answer 5

In addition to @schrom answer and more related to the deprecation of OAuth2ResourceServerConfigurer#jwt, Spring Security deprecated the methods that return its own configurer in favor of the ones that return HttpSecurity, and deprecated the .and() method from the HttpSecurity.

For example, httpBasic() is deprecated in favor of httpBasic(Customizer). Those deprecations were done to have only one way to configure the security DSL, which is using lambdas. Take a look at the documentation.

So, for JWT configuration, you'd have to do:

oauth2ResourceServer((oauth2) -> oauth2
    .jwt(Customizer.withDefaults())
)

Answer 6

Spring's general advice is to migrate to Spring 5.8 first, and to 6.0 later, to have a smoother transition to the new features.

As stated in Spring Security 5.8 documentation:

In Spring Security 5.8, the antMatchers, mvcMatchers, and regexMatchers methods were deprecated in favor of new requestMatchers methods

As far as I know http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) should still work, it is even mentioned in the Spring Security 6.0 documentation about JWT:

Usually Spring classes have a great documentation about deprecated methods, i.e. the JavaDoc often is giving hints which class or method to use instead.