apache · ilgrosso · Apr 24, 2023 · Apr 24, 2023
diff --git a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SecurityConfig.java b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SecurityConfig.java
@@ -22,8 +22,10 @@
 import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -38,13 +40,13 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
         EndpointRequest.EndpointRequestMatcher actuatorEndpoints = EndpointRequest.toAnyEndpoint();
-
-        http.csrf().disable().
-                authorizeHttpRequests().
+        http.authorizeHttpRequests(customizer -> customizer.
                 requestMatchers(new NegatedRequestMatcher(actuatorEndpoints)).permitAll().
-                requestMatchers(actuatorEndpoints).authenticated().
-                and().
-                httpBasic();
+                requestMatchers(actuatorEndpoints).authenticated());
+
+        http.httpBasic(Customizer.withDefaults());
+        http.csrf(AbstractHttpConfigurer::disable);
+
         return http.build();
     }
 

diff --git a/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SecurityConfig.java b/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SecurityConfig.java
@@ -22,8 +22,10 @@
 import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -38,13 +40,13 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
         EndpointRequest.EndpointRequestMatcher actuatorEndpoints = EndpointRequest.toAnyEndpoint();
-
-        http.csrf().disable().
-                authorizeHttpRequests().
+        http.authorizeHttpRequests(customizer -> customizer.
                 requestMatchers(new NegatedRequestMatcher(actuatorEndpoints)).permitAll().
-                requestMatchers(actuatorEndpoints).authenticated().
-                and().
-                httpBasic();
+                requestMatchers(actuatorEndpoints).authenticated());
+
+        http.httpBasic(Customizer.withDefaults());
+        http.csrf(AbstractHttpConfigurer::disable);
+
         return http.build();
     }
 

diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java
@@ -42,14 +42,13 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
-import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.firewall.DefaultHttpFirewall;
 import org.springframework.security.web.firewall.HttpFirewall;
 
@@ -76,6 +75,7 @@ public WebSecurityCustomizer webSecurityCustomizer(final HttpFirewall allowUrlEn
     public SecurityFilterChain filterChain(
             final HttpSecurity http,
             final UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider,
+            final AccessDeniedHandler accessDeniedHandler,
             final AuthDataAccessor authDataAccessor,
             final DefaultCredentialChecker defaultCredentialChecker,
             final SecurityProperties securityProperties) throws Exception {
@@ -84,6 +84,7 @@ public SecurityFilterChain filterChain(
                 parentAuthenticationManager(null).
                 authenticationProvider(usernamePasswordAuthenticationProvider).
                 build();
+        http.authenticationManager(authenticationManager);
 
         SyncopeAuthenticationDetailsSource authenticationDetailsSource =
                 new SyncopeAuthenticationDetailsSource();
@@ -96,35 +97,34 @@ public SecurityFilterChain filterChain(
                         securityProperties.getAnonymousUser(),
                         AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
         anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
+        http.anonymous(customizer -> customizer.
+                authenticationProvider(anonymousAuthenticationProvider).
+                authenticationFilter(anonymousAuthenticationFilter));
 
         SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint =
                 new SyncopeBasicAuthenticationEntryPoint();
         basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication");
+        http.httpBasic(customizer -> customizer.
+                authenticationEntryPoint(basicAuthenticationEntryPoint).
+                authenticationDetailsSource(authenticationDetailsSource));
 
         JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(
                 authenticationManager,
                 basicAuthenticationEntryPoint,
                 authenticationDetailsSource,
                 authDataAccessor,
                 defaultCredentialChecker);
+        http.addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class);
 
         MustChangePasswordFilter mustChangePasswordFilter = new MustChangePasswordFilter();
-
-        http.authenticationManager(authenticationManager).
-                authorizeHttpRequests().
-                requestMatchers("/**").permitAll().and().
-                sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
-                securityContext().securityContextRepository(new NullSecurityContextRepository()).and().
-                anonymous().
-                authenticationProvider(anonymousAuthenticationProvider).
-                authenticationFilter(anonymousAuthenticationFilter).and().
-                httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
-                authenticationDetailsSource(authenticationDetailsSource).and().
-                exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
-                addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class).
-                addFilterBefore(mustChangePasswordFilter, AuthorizationFilter.class).
-                headers().disable().
-                csrf().disable();
+        http.addFilterBefore(mustChangePasswordFilter, AuthorizationFilter.class);
+
+        http.authorizeHttpRequests(customizer -> customizer.requestMatchers("/**").permitAll());
+        http.securityContext(AbstractHttpConfigurer::disable);
+        http.sessionManagement(AbstractHttpConfigurer::disable);
+        http.headers(AbstractHttpConfigurer::disable);
+        http.csrf(AbstractHttpConfigurer::disable);
+        http.exceptionHandling(customizer -> customizer.accessDeniedHandler(accessDeniedHandler));
 
         return http.build();
     }

diff --git a/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java b/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java
@@ -54,6 +54,7 @@
 import org.springframework.core.io.FileUrlResource;
 import org.springframework.core.io.support.ResourcePatternResolver;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
@@ -88,21 +89,30 @@ public class SecurityConfig {
     public SecurityWebFilterChain saml2SecurityFilterChain(final ServerHttpSecurity http) {
         ServerWebExchangeMatcher metadataMatcher =
                 ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, SAML2MetadataEndpoint.METADATA_URL);
-        return http.securityMatcher(metadataMatcher).
-                authorizeExchange().anyExchange().permitAll().
-                and().csrf().requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(metadataMatcher)).
-                and().build();
+        http.securityMatcher(metadataMatcher);
+
+        http.authorizeExchange(customizer -> customizer.anyExchange().permitAll());
+
+        http.csrf(customizer -> customizer.
+                requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(metadataMatcher)));
+
+        return http.build();
     }
 
     @Bean
     @Order(1)
     public SecurityWebFilterChain actuatorSecurityFilterChain(final ServerHttpSecurity http) {
         ServerWebExchangeMatcher actuatorMatcher = EndpointRequest.toAnyEndpoint();
-        return http.securityMatcher(actuatorMatcher).
-                authorizeExchange().anyExchange().authenticated().
-                and().httpBasic().
-                and().csrf().requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(actuatorMatcher)).
-                and().build();
+        http.securityMatcher(actuatorMatcher);
+
+        http.authorizeExchange(customizer -> customizer.anyExchange().authenticated());
+
+        http.httpBasic(Customizer.withDefaults());
+
+        http.csrf(customizer -> customizer.
+                requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(actuatorMatcher)));
+
+        return http.build();
     }
 
     @Bean
@@ -298,21 +308,22 @@ public SecurityWebFilterChain routesSecurityFilterChain(
             final CsrfRouteMatcher csrfRouteMatcher,
             final ConfigurableApplicationContext ctx) {
 
-        ServerHttpSecurity.AuthorizeExchangeSpec builder = http.authorizeExchange().
+        http.authorizeExchange(customizer -> customizer.
                 matchers(publicRouteMatcher).permitAll().
-                anyExchange().authenticated();
+                anyExchange().authenticated());
 
         switch (props.getAmType()) {
             case OIDC, OAUTH2 -> {
                 OAuth2SecurityConfigUtils.forLogin(http, props.getAmType(), ctx);
-                OAuth2SecurityConfigUtils.forLogout(builder, props.getAmType(), cacheManager, logoutRouteMatcher, ctx);
-                http.oauth2ResourceServer().jwt().jwtDecoder(ctx.getBean(ReactiveJwtDecoder.class));
+                OAuth2SecurityConfigUtils.forLogout(http, props.getAmType(), cacheManager, logoutRouteMatcher, ctx);
+                http.oauth2ResourceServer(customizer -> customizer.jwt(
+                        c -> c.jwtDecoder(ctx.getBean(ReactiveJwtDecoder.class))));
             }
 
             case SAML2 ->
                 saml2Client.ifAvailable(client -> {
                     SAML2SecurityConfigUtils.forLogin(http, client, publicRouteMatcher);
-                    SAML2SecurityConfigUtils.forLogout(builder, client, cacheManager, logoutRouteMatcher, ctx);
+                    SAML2SecurityConfigUtils.forLogout(http, client, cacheManager, logoutRouteMatcher, ctx);
                 });
 
             case CAS -> {
@@ -322,7 +333,7 @@ public SecurityWebFilterChain routesSecurityFilterChain(
                         props.getCas().getServerPrefix(),
                         publicRouteMatcher);
                 CASSecurityConfigUtils.forLogout(
-                        builder,
+                        http,
                         cacheManager,
                         props.getCas().getServerPrefix(),
                         logoutRouteMatcher,
@@ -333,6 +344,7 @@ public SecurityWebFilterChain routesSecurityFilterChain(
             }
         }
 
-        return builder.and().csrf().requireCsrfProtectionMatcher(csrfRouteMatcher).and().build();
+        http.csrf(customizer -> customizer.requireCsrfProtectionMatcher(csrfRouteMatcher));
+        return http.build();
     }
 }
diff --git a/sra/src/main/java/org/apache/syncope/sra/security/cas/CASSecurityConfigUtils.java b/sra/src/main/java/org/apache/syncope/sra/security/cas/CASSecurityConfigUtils.java
@@ -67,7 +67,7 @@ public static void forLogin(
     }
 
     public static void forLogout(
-            final ServerHttpSecurity.AuthorizeExchangeSpec builder,
+            final ServerHttpSecurity http,
             final CacheManager cacheManager,
             final String casServerUrlPrefix,
             final LogoutRouteMatcher logoutRouteMatcher,
@@ -87,7 +87,7 @@ public static void forLogout(
             LOG.error("While creating instance of {}", CASServerLogoutSuccessHandler.class.getName(), e);
         }
 
-        builder.and().addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
+        http.addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
     }
 
     private CASSecurityConfigUtils() {

diff --git a/sra/src/main/java/org/apache/syncope/sra/security/oauth2/OAuth2SecurityConfigUtils.java b/sra/src/main/java/org/apache/syncope/sra/security/oauth2/OAuth2SecurityConfigUtils.java
@@ -107,11 +107,12 @@ public static void forLogin(
         htmlMatcher.setIgnoredMediaTypes(Set.of(MediaType.ALL));
         ServerAuthenticationEntryPoint entrypoint =
                 new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/" + amType.name());
-        http.exceptionHandling().authenticationEntryPoint(new DelegateEntry(htmlMatcher, entrypoint).getEntryPoint());
+        http.exceptionHandling(customizer -> customizer.authenticationEntryPoint(
+                new DelegateEntry(htmlMatcher, entrypoint).getEntryPoint()));
     }
 
     public static void forLogout(
-            final ServerHttpSecurity.AuthorizeExchangeSpec builder,
+            final ServerHttpSecurity http,
             final SRAProperties.AMType amType,
             final CacheManager cacheManager,
             final LogoutRouteMatcher logoutRouteMatcher,
@@ -134,7 +135,8 @@ public static void forLogout(
             }
         }
 
-        builder.and().logout().disable().addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
+        http.logout(customizer -> customizer.disable());
+        http.addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
     }
 
     private OAuth2SecurityConfigUtils() {

diff --git a/sra/src/main/java/org/apache/syncope/sra/security/saml2/SAML2SecurityConfigUtils.java b/sra/src/main/java/org/apache/syncope/sra/security/saml2/SAML2SecurityConfigUtils.java
@@ -66,7 +66,7 @@ public static void forLogin(
     }
 
     public static void forLogout(
-            final ServerHttpSecurity.AuthorizeExchangeSpec builder,
+            final ServerHttpSecurity http,
             final SAML2Client saml2Client,
             final CacheManager cacheManager,
             final LogoutRouteMatcher logoutRouteMatcher,
@@ -85,12 +85,12 @@ public static void forLogout(
 
             SAML2LogoutResponseWebFilter logoutResponseWebFilter =
                     new SAML2LogoutResponseWebFilter(saml2Client, logoutSuccessHandler);
-            builder.and().addFilterAt(logoutResponseWebFilter, SecurityWebFiltersOrder.LOGOUT);
+            http.addFilterAt(logoutResponseWebFilter, SecurityWebFiltersOrder.LOGOUT);
         } catch (ClassNotFoundException e) {
             LOG.error("While creating instance of {}", SAML2ServerLogoutSuccessHandler.class.getName(), e);
         }
 
-        builder.and().addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
+        http.addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
     }
 
     private SAML2SecurityConfigUtils() {