在使用Spring Security的Spring应用中避免“WebSecurityConfigurerAdapter类已被弃用”的警告。也许你习惯于使用一个扩展自WebSecurityConfigurerAdapter抽象类的Spring配置类，就像这样：

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // configure HTTP security...
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        // configure Web security...
    }      
}

这在Spring Security 5.6.5及更旧版本或Spring Boot 2.6.8及更旧版本没有问题。然而，如果你的项目使用Spring Security 5.7.1及更新版本或者Spring Boot 2.7.0及更新版本，你的IDE会警告你：

类WebSecurityConfigurerAdapter已被弃用

那么，为什么Spring Security弃用了WebSecurityConfigurerAdapter？它的继任者是什么？

这是因为Spring框架的开发者鼓励用户使用基于组件的（component-based）的安全配置。

在以前的用法中，我们扩展WebSecurityConfigurerAdapter类并且覆盖配置HttpSecurity和WebSecurity的方法；在新的用法中，我们得分别声明类型为SecurityFilterChain和WebSecurityCustomizer的bean，就像下面这样：

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {

    }

}

下面是从旧的安全配置转向基于组件的配置的代码示例。首先，让我们看看典型的扩展自WebSecurityConfigurerAdapter的安全配置类，如下所示：

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public UserDetailsService userDetailsService() {
        return new ShopmeUserDetailsService();
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/login").permitAll()
                .antMatchers("/users/**", "/settings/**").hasAuthority("Admin")
                .hasAnyAuthority("Admin", "Editor", "Salesperson")
                .hasAnyAuthority("Admin", "Editor", "Salesperson", "Shipper")
                .anyRequest().authenticated()
                .and().formLogin()
                .loginPage("/login")
                    .usernameParameter("email")
                    .permitAll()
                .and()
                .rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789")
                .and()
                .logout().permitAll();

        http.headers().frameOptions().sameOrigin();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/images/**", "/js/**", "/webjars/**");
    }
}

下面是不使用WebSecurityConfigurerAdapter的新的安全配置：

package net.codejava;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfiguration {

    @Bean
    public UserDetailsService userDetailsService() {
        return new ShopmeUserDetailsService();
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/login").permitAll()
                .antMatchers("/users/**", "/settings/**").hasAuthority("Admin")
                .hasAnyAuthority("Admin", "Editor", "Salesperson")
                .hasAnyAuthority("Admin", "Editor", "Salesperson", "Shipper")
                .anyRequest().authenticated()
                .and().formLogin()
                .loginPage("/login")
                    .usernameParameter("email")
                    .permitAll()
                .and()
                .rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789")
                .and()
                .logout().permitAll();

        http.headers().frameOptions().sameOrigin();

        return http.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().antMatchers("/images/**", "/js/**", "/webjars/**");
    }

以上就是如何在使用的Spring Security的Spring应用中避免“类WebSecurityConfigurerAdapter已被弃用”的警告的方法。你需要声明SecurityFilterChain和WebSecurityCustomizer两个bean而不是覆盖WebSecurityConfigurerAdapter类的方法。

注意：如果你不想修改你现在的代码，那么你的的Spring Boot版本应该低于2.7.0、Spring Security版本低于5.7.1。

参考资料：Spring Security - How to Fix WebSecurityConfigurerAdapter Deprecated