SpringBoot Configure WebSecurity using WebSecurityCustomizer

In Spring Security 5.4 we introduced the WebSecurityCustomizer to allow customizing WebSecurity without needing the WebSecurityConfigurerAdapter.

Any customizations to WebSecurity should be done by exposing a WebSecurityCustomizer bean.

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
}

See https://github.com/spring-projects/spring-boot/issues/22739#issuecomment-674236009 for more details around removing the use of WebSecurityConfigurerAdapter.

Comment From: wilkinsona

Thanks, @eleftherias.

As far as I can tell, all of the WebSecurityConfigurerAdapter sub-classes that we have are configuring HttpSecurity rather than WebSecurity. Am I right in thinking that those should stay as they are?

We do have one WebSecurityConfigurer implementation. Should that be migrated to a WebSecurityCustomizer?

Comment From: eleftherias

@wilkinsona Yes, the WebSecurityConfigurer should be migrated to a WebSecurityCustomizer.

We also recommend eventually migrating all of the WebSecurityConfigurerAdapter sub-classes that we have are configuring HttpSecurity, since using the SecurityFilterChain bean will be the recommended approach to configure HttpSecurity going forward.