[Spring] WebSecurityConfigurerAdapter Deprecated

최근 새 스프링 부트 프로젝트를 생성하여 기존과 같이 spring security config를 작성하였는데 WebSecurityConfigurerAdapter가 Deprecated 되었다는 경고메시지를 보고 이를 해결해봤다.

공식 문서를 확인해보니 HttpSecurity는 SecurityFilterChain를, WebSecurity는 WebSecurityCustomizer를 Bean으로 등록하여 사용하라고 되어있다.

공식문서를 참고하여 기존에 작성했던 SecurityConfig 다시 작성해봤다.

기존

@RequiredArgsConstructor
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final JwtTokenUtil jwtTokenUtil;
    private final CustomOAuth2UserService customOAuth2UserService;
    private final OAuth2AuthenticationSuccessHandler oAuth2AuthenticationSuccessHandler;

    @Override
    public void configure(WebSecurity web) throws Exception  {
        web.ignoring()
          .antMatchers("/css/**",
          "/js/**",
          "/image/**",
          "/fonts/**",
          "/lib/**",
          "/h2-console/**");
    }
    
    @Override
    public void filterChain(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .cors()
                .and()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                    .authorizeRequests()
                    .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
                    .antMatchers("/", "/api/v1/meals").permitAll()
                    .antMatchers("/api/v1/**").hasRole(Role.USER.getKey())
                    .anyRequest().authenticated()
                .and()
                    .oauth2Login()
                    .successHandler(oAuth2AuthenticationSuccessHandler)
                    .userInfoEndpoint().userService(customOAuth2UserService);

        http.addFilterBefore(new JwtAuthFilter(jwtTokenUtil), UsernamePasswordAuthenticationFilter.class);
    }
}

변경

@RequiredArgsConstructor
@EnableWebSecurity
public class SecurityConfig {

    private final JwtTokenUtil jwtTokenUtil;
    private final CustomOAuth2UserService customOAuth2UserService;
    private final OAuth2AuthenticationSuccessHandler oAuth2AuthenticationSuccessHandler;

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring()
                .antMatchers("/css/**",
                        "/js/**",
                        "/image/**",
                        "/fonts/**",
                        "/lib/**",
                        "/h2-console/**");
    }
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .cors()
                .and()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                    .authorizeRequests()
                    .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
                    .antMatchers("/", "/api/v1/meals").permitAll()
                    .antMatchers("/api/v1/**").hasRole(Role.USER.getKey())
                    .anyRequest().authenticated()
                .and()
                    .oauth2Login()
                    .successHandler(oAuth2AuthenticationSuccessHandler)
                    .userInfoEndpoint().userService(customOAuth2UserService);

        http.addFilterBefore(new JwtAuthFilter(jwtTokenUtil), UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }
}

참고자료

• https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html
• https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
• https://www.baeldung.com/spring-deprecated-websecurityconfigureradapter