search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.79k stars 5.9k forks source link

Align Return Types of no-arg and Customizer arg Configuration Methods #13093

Open marcusdacoregio opened 1 year ago

marcusdacoregio commented 1 year ago

It is a common way to configure Spring Security like this:

http.formLogin();
http.httpBasic();

Where each configuration is in its own line, this is quite a reasonable alternative and there are many users who prefer this way to chaining methods.

With the deprecation of .and() and the non-lambda methods (see #12629), and, therefore, the removal in 7.0, users will be forced to use:

http.formLogin(Customizer.withDefaults());
http.httpBasic(Customizer.withDefaults());

The above configuration does not give any advantage over the former. We should consider replacing the deprecated methods with a variant that returns the root builder object, for example, HttpSecurity.

public HttpSecurity httpBasic() {
    // ...
}

Some methods, like oauth2ResourceServer, maybe should not return HttpSecurity since it doesn't make sense to configure it without the additional .jwt() or .opaqueToken() methods.

Aveyder commented 1 year ago

Does it mean that instead of:

http.apply(myCustomAuthConfigurer())
    .and()
    .logout(logout -> ...)
   ...

User will have to do:

http.apply(myCustomAuthConfigurer());
http.logout(logout -> ...)
    ...
marcusdacoregio commented 1 year ago

Hi @Aveyder, for custom DSLs you should use the new .with(...) method available in 6.2, see https://docs.spring.io/spring-security/reference/6.2-SNAPSHOT/migration-7/configuration.html#_use_with_instead_of_apply_for_custom_dsls