Upgrading a "legacy" Spring 5 / Java 11 SPA to Spring 6 / Java 17 was a bit of a to do.
Things you may run into with Spring Security:
- WebSecurityConfigurerAdapter is gone.
- Ant matchers no longer exist. You have to set a config item to use the previous ant path matching behavior:
spring:
mvc:
pathmatch:
matching-strategy: ant_path_matcher
- CSRF requires a lot more code to get the default behavior we had before in a single page application.
.csrf(c -> c
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler()))
.addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class)
// and CsrfCookieFilter / SpaCsrfTokenRequestHandler classes from the above SPA link
- @Component no longer registers API endpoints, you need @RestController or another annotation.