Spring Security is adding an enhancement that allows configuring HTTP security by exposing a SecurityFilterChain bean.
In this case, there is no need to extend WebSecurityConfigurerAdapter.
See https://github.com/spring-projects/spring-security/issues/8804.
Currently Spring Boot applies a default security configuration when no WebSecurityConfigurerAdapter bean is present.
Going forward, it should also check if a SecurityFilterChain bean is present before applying a default security configuration.
Comment From: mbhave
@eleftherias Would you suggest updating our smoke tests and auto-configuration to use the SecurityFilterChain bean instead of extending WebSecurityConfigurerAdapter too?
Comment From: eleftherias
Yes, using the SecurityFilterChain bean will be the recommended approach going forward.
Comment From: mbhave
Spring Security still needs to make some changes for making WebSecurity work with bean style SecurityFilterChain. We use WebSecurity to configure ignored paths for the Cloud Foundry actuators. Until that's sorted we can't move to the bean style config for our own auto-configurations. We should open a separate issue for https://github.com/spring-projects/spring-boot/issues/22739#issuecomment-669545630 once that's done.