Merge branch '2.4.x'

Closes gh-24593

spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc

@@ -2434,19 +2434,15 @@ You can switch on the valve by adding some entries to `application.properties`,
 (The presence of either of those properties switches on the valve.
 Alternatively, you can add the `RemoteIpValve` by adding a `TomcatServletWebServerFactory` bean.)
 
-To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following `HttpSecurity` configuration:
+To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:
 
 [source,java,indent=0,subs="verbatim,quotes,attributes"]
 ----
-	@Configuration(proxyBeanMethods = false)
-	public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         // Customize the application security
 		http.requiresChannel().anyRequest().requiresSecure();
-		}
-
+        return http.build();
 	}
 ----
 

spring-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc

@@ -359,16 +359,12 @@ A typical Spring Security configuration might look something like the following
 
 [source,java,indent=0]
 ----
-	@Configuration(proxyBeanMethods = false)
-	public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
                 requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
         http.httpBasic();
-		}
-
+        return http.build();
 	}
 ----
 
@@ -392,18 +388,17 @@ Additionally, if Spring Security is present, you would need to add custom securi
 
 [source,java,indent=0]
 ----
-	@Configuration(proxyBeanMethods = false)
-	public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
 				requests.anyRequest().permitAll());
-		}
-
+        return http.build();
     }
 ----
 
+NOTE: In both the examples above, the configuration applies only to the actuator endpoints.
+Since Spring Boot's security configuration backs off completely in the presence of any `SecurityFilterChain` bean, you will need to configure an additional `SecurityFilterChain` bean with rules that apply to the rest of the application.
+
 
 
 [[production-ready-endpoints-caching]]

spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc

@@ -3695,11 +3695,11 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for
 === MVC Security
 The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`.
 `SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications.
-To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
+To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
 
 To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`.
 
-Access rules can be overridden by adding a custom `WebSecurityConfigurerAdapter`.
+Access rules can be overridden by adding a custom `SecurityFilterChain` or `WebSecurityConfigurerAdapter` bean.
 Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
 `EndpointRequest` can be used to create a `RequestMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.
 `PathRequest` can be used to create a `RequestMatcher` for resources in commonly used locations.
@@ -3800,14 +3800,12 @@ The following example shows how an OpenID Connect Provider can be configured wit
 
 By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs matching `/login/oauth2/code/*`.
 If you want to customize the `redirect-uri` to use a different pattern, you need to provide configuration to process that custom pattern.
-For example, for servlet applications, you can add your own `WebSecurityConfigurerAdapter` that resembles the following:
+For example, for servlet applications, you can add your own `SecurityFilterChain` that resembles the following:
 
 [source,java,indent=0]
 ----
-public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
-
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
             .authorizeRequests()
                 .anyRequest().authenticated()
@@ -3815,8 +3813,8 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
             .oauth2Login()
                 .redirectionEndpoint()
                     .baseUri("/custom-callback");
+        return http.build();
     }
-}
 ----