Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Where is the proper place to help with the Spring Security 6 example #23

Closed
purejgleason opened this issue Feb 1, 2023 · 3 comments
Closed

Where is the proper place to help with the Spring Security 6 example #23

purejgleason opened this issue Feb 1, 2023 · 3 comments

Comments

@purejgleason
Copy link

Since the upgrade a lot of things have changed and I finally got my authorization working with Spring Security 6. I would be willing to contribute an example but not sure where I should do that.
@jimmyjames
Copy link
Contributor

Thanks @purejgleason, we do need to include guidance for Spring 6, seeing increased interest in Spring Security 6 which is great!

I'm not sure if we'll end up creating a new sample repo or just updating this one, but we will also need to update the quickstart article or create a new one. Until we do that, you could make a PR here that we could leave in draft for now, at least it would be a place for others to reference.

I'm also working through the Spring Security 6 migration myself, and I'm going to share here the steps I had to take, and maybe push a branch for reference and/or a draft PR myself. But either way, would be great to compare notes about what was needed to work with Spring Security 6.

@jimmyjames
Copy link
Contributor

Ok, I think I've got it working. As noted above we will need to update or create a new quickstart, and perhaps then just make a new sample repo for Spring Boot 3, but for those looking to use Spring Boot 3 hopefully the info here will help.

Note
The WIP changes can be found on the use-spring-6 branch.

Migrating to Spring Boot 3 and Spring Security 6 (Servlet)

Step 1 - Update to latest Spring Boot 3 and Spring Security 5.8

Note
The following changes are captured in this commit.

As documented on the Spring Boot 3 Migration Guide, the first thing to do is update to the latest of Spring Boot 2 and use Spring Security 5.8. As shown in this commit, this involves updating your dependencies (gradle shown):

plugins {
    latest 
    id 'org.springframework.boot' version '2.7.8'
}

ext['spring-security.version']='5.8.1'

After doing this, you'll notice deprecation warnings regarding the authorizeRequests and mvcMatchers usage in the SecurityConfig. We can change this to use authorizeHttpRequests and use requestMatcher:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests((authorize) -> authorize
                .requestMatchers("/api/public").permitAll()
                .requestMatchers("/api/private").authenticated()
                .requestMatchers("/api/private-scoped").hasAuthority("SCOPE_read:messages"))
                .cors().and()
                .oauth2ResourceServer((oauth2ResourceServer) ->
                        // works, but not as clear:
                        // oauth2ResourceServer.jwt());
                    oauth2ResourceServer.jwt(jwt -> jwt.decoder(jwtDecoder())));

    return http.build();
}

The application should now compile without warnings, and running it should demonstrate the protected endpoints.

Step 2 - Update to Spring Boot 3

Note
The following changes are captured in this commit.

Now we can update to Spring Boot 3, which involves a few things:

Update to latest Gradle

Update your gradle version to the latest of v7. If you don't do this, you may encounter errors related to building a jar when trying to run.

./gradlew wrapper --gradle-version 7.6

Update dependencies and source level

Update your dependency to use spring boot 3 (and make sure to remove the Spring Security version override if you followed the step above!):

plugins {
    // ...
    id 'org.springframework.boot' version '3.0.2'
}

sourceCompatibility = '17'

Add @Configuration annotation to SecurityConfig

Make sure to add the @Configuration annotation to the SecurityConfig class. Not doing this will cause the custom jwtDecoder bean to not get injected (the annotation should probably have always been there, but something in Spring Boot 3 seems to have made it required).

@EnableWebSecurity

// Needed since Spring Security 6 (or Spring Boot 3)!
@Configuration
public class SecurityConfig {
   //...
}

Run with Java 17!

If you followed the above steps, you should be able to run the sample. Note that Spring Boot 3 requires Java 17, and the application will fail to start if using a non-compatible java runtime.

./gradlew clean bootRun

Migrating to Spring Boot 3 and Spring Security 6 (WebFlux)

Note
The required updates for this sample can be found in this commit.

Updating the WebFlux usage for Spring Boot 3 appears to be a bit simpler, requiring the following:

  • Update spring boot dependency to latest spring boot v3
  • Update to latest Gradle
  • Configure source compatibility to level 17
  • Add the @Configuration annotation to the SecurityConfig class

@jimmyjames
Copy link
Contributor

Let's move this conversation to #25 since we've had a few issues regarding this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimmyjames @purejgleason