What Replaces WebSecurityConfigurerAdapter in Spring Security 5.7? New Config Guide

Anyone who has used WebSecurityConfigurerAdapter knows how central it is to configuring Spring Security , but the class is marked @Deprecated and will be removed in version 5.7.

The community has already closed related issues, and a detailed migration guide was published in March 2021. Below is a concise recap of the replacement approaches.

Version requirement: Spring Security 5.4.x or higher.

HttpSecurity: Old vs New

Old approach:

@Configuration
static class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/**")
            .authorizeRequests(authorize -> authorize
                .anyRequest().authenticated()
            );
    }
}

New approach:

@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
        .antMatcher("/**")
        .authorizeRequests(authorize -> authorize
            .anyRequest().authenticated()
        )
        .build();
}

WebSecurity: Old vs New

Using WebSecurity.ignoring() to bypass certain URLs is risky because those URLs are not protected against CSRF, XSS, Clickjacking, etc. The examples are for demonstration only.

Old approach:

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity web) {
        // demonstration only
        web.ignoring().antMatchers("/ignore1", "/ignore2");
    }
}

New approach:

@Configuration
public class SecurityConfiguration {
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        // demonstration only
        return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
    }
}

If you need to ignore URLs, consider using HttpSecurity.authorizeHttpRequests with permitAll instead.

AuthenticationManager: Old vs New

The AuthenticationManager can be configured globally or locally.

Old approach

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication();
    }
}

@Bean(name = "myAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

New approach

Local configuration via HttpSecurity.authenticationManager:

@Configuration
public class SecurityConfiguration {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authz -> authz
                .anyRequest().authenticated()
            )
            .httpBasic(withDefaults())
            .authenticationManager(new CustomAuthenticationManager());
    }
}

Global configuration no longer depends on WebSecurityConfigurerAdapter.authenticationManagerBean(); simply define an AuthenticationManager bean:

@Bean
AuthenticationManager ldapAuthenticationManager(BaseLdapPathContextSource contextSource) {
    LdapBindAuthenticationManagerFactory factory = new LdapBindAuthenticationManagerFactory(contextSource);
    factory.setUserDnPatterns("uid={0},ou=people");
    factory.setUserDetailsContextMapper(new PersonContextMapper());
    return factory.createAuthenticationManager();
}

Alternatively, customize GlobalAuthenticationConfigurerAdapter and inject it into Spring IoC to modify AuthenticationManagerBuilder. Be aware of ordering issues.

Conclusion

Many technical solutions evolve gradually rather than changing abruptly; staying up‑to‑date ensures you adapt smoothly.