What Replaces WebSecurityConfigurerAdapter in Spring Security 5.7? New Config Guide

Anyone who has used

WebSecurityConfigurerAdapter

knows how central it is to configuring Spring Security , but the class is marked

@Deprecated

and will be removed in version 5.7.

The community has already closed related issues, and a detailed migration guide was published in March 2021. Below is a concise recap of the replacement approaches.

Version requirement: Spring Security 5.4.x or higher.

HttpSecurity: Old vs New

Old approach:

<code>@Configuration
static class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/**")
            .authorizeRequests(authorize -> authorize
                .anyRequest().authenticated()
            );
    }
}
</code>

New approach:

<code>@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
        .antMatcher("/**")
        .authorizeRequests(authorize -> authorize
            .anyRequest().authenticated()
        )
        .build();
}
</code>

WebSecurity: Old vs New

Using

WebSecurity.ignoring()

to bypass certain URLs is risky because those URLs are not protected against CSRF, XSS, Clickjacking, etc. The examples are for demonstration only.

Old approach:

<code>@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity web) {
        // demonstration only
        web.ignoring().antMatchers("/ignore1", "/ignore2");
    }
}
</code>

New approach:

<code>@Configuration
public class SecurityConfiguration {
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        // demonstration only
        return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
    }
}
</code>

If you need to ignore URLs, consider using HttpSecurity.authorizeHttpRequests with permitAll instead.

AuthenticationManager: Old vs New

The

AuthenticationManager

can be configured globally or locally.

Old approach

<code>@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication();
    }
}

@Bean(name = "myAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}
</code>

New approach

Local configuration via

HttpSecurity.authenticationManager

:

<code>@Configuration
public class SecurityConfiguration {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authz -> authz
                .anyRequest().authenticated()
            )
            .httpBasic(withDefaults())
            .authenticationManager(new CustomAuthenticationManager());
    }
}
</code>

Global configuration no longer depends on

WebSecurityConfigurerAdapter.authenticationManagerBean()

; simply define an

AuthenticationManager

bean:

<code>@Bean
AuthenticationManager ldapAuthenticationManager(BaseLdapPathContextSource contextSource) {
    LdapBindAuthenticationManagerFactory factory = new LdapBindAuthenticationManagerFactory(contextSource);
    factory.setUserDnPatterns("uid={0},ou=people");
    factory.setUserDetailsContextMapper(new PersonContextMapper());
    return factory.createAuthenticationManager();
}
</code>

Alternatively, customize

GlobalAuthenticationConfigurerAdapter

and inject it into Spring IoC to modify

AuthenticationManagerBuilder

. Be aware of ordering issues.

Conclusion

Many technical solutions evolve gradually rather than changing abruptly; staying up‑to‑date ensures you adapt smoothly.