Spring Security Update javadoc of EnableWebSecurity to reflect deprecation of WebSecurityConfigurerAdapter

WebSecurityConfigurerAdapter has been deprecated in Spring Security 5.7 but the javadoc of EnableWebSecurity still encourages its use:

https://github.com/spring-projects/spring-security/blob/4caf53e96dce93f9e196e8fc8c810acb14c32bed/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java#L31-L38

Comment From: jonathanlermitage

Same thing for: - HttpSecurity: https://github.com/spring-projects/spring-security/blob/4caf53e96dce93f9e196e8fc8c810acb14c32bed/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java#L117-L128 - WebSecurityConfiguration: https://github.com/spring-projects/spring-security/blob/4caf53e96dce93f9e196e8fc8c810acb14c32bed/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java#L57 - and WebSecurity: https://github.com/spring-projects/spring-security/blob/4caf53e96dce93f9e196e8fc8c810acb14c32bed/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java#L80

Comment From: jonathanlermitage

Do you think we could suggest a sample code like this?

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin();
    }

    @Bean
    public AuthenticationManager authenticationManagerBean(ObjectPostProcessor<Object> objectPostProcessor) throws Exception {
        return new AuthenticationManagerBuilder(objectPostProcessor)
            .userDetailsService(...)
            .passwordEncoder(...)
            .and().build();
    }

I just migrated to Spring Boot 2.7 and Spring Security 5.7, and I had to provide an AuthenticationManager implementation since I no longer inherit from WebSecurityConfigurerAdapter (I used provided implementation super.authenticationManagerBean()).
Meanwhile, this code may be sub-optimal, I'm not sure :-D

Comment From: sjohnr

Thanks @wilkinsona!

@jonathanlermitage see this blog post for examples of migrating. It provides alternatives to accessing the AuthenticationManagerBuilder and declaring local/global AuthenticationManagers, preferring to declare @Beans instead. Would you mind opening a separate issue for your other findings?

Comment From: jonathanlermitage

@sjohnr Sure, created https://github.com/spring-projects/spring-security/issues/11288