Describe the bug
Upgrading from Spring Boot 3.3.5 to 3.4.0 includes an upgrade to Spring Security 6.4, which deprecates the authorizeRequests block in the HTTP configuration DSL. The deprecation message suggests using authorizeHttpRequests instead. But authorizeHttpRequests is missing the fullyAuthenticated property.
w: file:///home/runner/work/terraware-server/terraware-server/src/main/kotlin/com/terraformation/backend/auth/SecurityConfig.kt:67:7 '@Deprecated(...) fun authorizeRequests(authorizeRequestsConfiguration: AuthorizeRequestsDsl.() -> Unit): Unit' is deprecated. Since 6.4. Use authorizeHttpRequests instead.
To Reproduce In a Spring Boot 3.3.5 app, use a security configuration like
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilter(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize("/api/**", fullyAuthenticated)
}
}
}
}
Upgrade to Spring Boot 3.4.0 and follow the suggestion to replace authorizeRequests with authorizeHttpRequests:
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilter(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize("/api/**", fullyAuthenticated)
}
}
}
}
Compilation will fail because fullyAuthenticated is undefined.
Expected behavior The suggested replacement in the deprecation message should include all the functionality of the older version or there should be a migration guide describing what to use instead.
Sample https://github.com/sgrimm/spring-security-fullyauthenticated
SecurityConfig.kt in that repo
Workaround
Define fullyAuthenticated in the application code:
val fullyAuthenticated = AuthenticatedAuthorizationManager.fullyAuthenticated<RequestAuthorizationContext>()
Comment From: jzheaux
Hi, @sgrimm, thanks for the report. I think this would be a reasonable addition for the 6.5 release. Are you able to submit a PR to add fullyAuthenticated to the Kotlin DSL?
Comment From: jzheaux
Thanks, @franticticktick for the PR! Closing this in favor of #16190.