Given that and() is stated for removal, does it mean that in the future, I cannot chain the HttpSecurity?

Spring Security Add with() method to apply Custom DSLs returning the builder

Spring Security Add with() method to apply Custom DSLs returning the builder

// not possible
@Bean
public SecurityFilterChain docsFilterChain(HttpSecurity http) throws Exception {
    return http
        .apply(CustomDSL.customDSL()) //.and() deprecated
        .build();
}

// good to go
@Bean
public SecurityFilterChain docsFilterChain(HttpSecurity http) throws Exception {
    http
        .apply(CustomDSL.customDSL());

    return http.build();
}

Comment From: jzheaux

Thanks for reaching out, @bwgjoseph, I think you make a good point that HttpSecurity#apply may not be suitable since it returns the given configurer instead of HttpSecurity. I'll reach out to the team for some thoughts and then get back to you.

Comment From: marcusdacoregio

Hi @bwgjoseph, thank you so much for the report.

After talking to @jzheaux, we decided that we want to add a new with(...) method that returns the HttpSecurity in that case. It would look something like this:

public <C extends SecurityConfigurerAdapter<O, B>> B with(C configurer) throws Exception {
    configurer.addObjectPostProcessor(this.objectPostProcessor);
    configurer.setBuilder((B) this);
    add(configurer);
    return (B) this;
}

Then you can do:

http
    .with(new CustomDsl().myMethod())
    .formLogin(Customizer.withDefaults())
    .httpBasic(Customizer.withDefaults());

I already prioritized this for 6.2. I'll update the issue's title to align better with the problem if you are okay with it.

As of now, you can create a new method inside your custom DSL that returns the builder:

static class CustomDsl extends AbstractHttpConfigurer<CustomDsl, HttpSecurity> {

    // ...

    public HttpSecurity build() {
        return getBuilder();
    }

}

// then

http
    .apply(new CustomDsl()
        .myMethod()
        .myOtherMethod()
        .build())
    .formLogin(...)
    // ...

Comment From: bwgjoseph

Thank you, this new way looks good.

I just tried what you suggested but encounter some error.

Spring Security Add with() method to apply Custom DSLs returning the builder

The method apply(C) in the type AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity> is not applicable for the arguments (HttpSecurity)

public class DummyDsl extends AbstractHttpConfigurer<DummyDsl, HttpSecurity> {
    @Override
    public void init(HttpSecurity http) throws Exception {
        http.formLogin(AbstractHttpConfigurer::disable);
    }

    public static DummyDsl dummyDsl() {
        return new DummyDsl();
    }

    public HttpSecurity build() {
        return getBuilder();
    }
}

Comment From: marcusdacoregio

What I meant is to replace .and() with that method

http.apply(new DummyDsl()).build()
  .formLogin(...)
  .build();

I realize that the name of the method might be somewhat confusing. You might call it different than build().

Comment From: bwgjoseph

Great, I think it works now.

Thanks for the great work 👏