Upgrading Spring Security from 5 to 6

Upgrading a "legacy" Spring 5 / Java 11 SPA to Spring 6 / Java 17 was a bit of a to do.

Things you may run into with Spring Security:

  1. WebSecurityConfigurerAdapter is gone.
  2. Ant matchers no longer exist. You have to set a config item to use the previous ant path matching behavior:
spring:
  mvc:
    pathmatch:
      matching-strategy: ant_path_matcher
  1. CSRF requires a lot more code to get the default behavior we had before in a single page application.
.csrf(c -> c
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())

.csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler()))
.addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class)
                
// and CsrfCookieFilter / SpaCsrfTokenRequestHandler classes from the above SPA link
  1. @Component no longer registers API endpoints, you need @RestController or another annotation.