Description
Describe the bug
Upgrading from Spring Boot 3.3.5 to 3.4.0 includes an upgrade to Spring Security 6.4, which deprecates the authorizeRequests block in the HTTP configuration DSL. The deprecation message suggests using authorizeHttpRequests instead. But authorizeHttpRequests is missing the fullyAuthenticated property.
w: file:///home/runner/work/terraware-server/terraware-server/src/main/kotlin/com/terraformation/backend/auth/SecurityConfig.kt:67:7 '@Deprecated(...) fun authorizeRequests(authorizeRequestsConfiguration: AuthorizeRequestsDsl.() -> Unit): Unit' is deprecated. Since 6.4. Use authorizeHttpRequests instead.
To Reproduce
In a Spring Boot 3.3.5 app, use a security configuration like
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilter(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize("/api/**", fullyAuthenticated)
}
}
}
}Upgrade to Spring Boot 3.4.0 and follow the suggestion to replace authorizeRequests with authorizeHttpRequests:
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilter(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize("/api/**", fullyAuthenticated)
}
}
}
}Compilation will fail because fullyAuthenticated is undefined.
Expected behavior
The suggested replacement in the deprecation message should include all the functionality of the older version or there should be a migration guide describing what to use instead.
Sample
https://github.com/sgrimm/spring-security-fullyauthenticated
SecurityConfig.kt in that repo
Workaround
Define fullyAuthenticated in the application code:
val fullyAuthenticated = AuthenticatedAuthorizationManager.fullyAuthenticated<RequestAuthorizationContext>()