Default security configuration shows warnings

[Artur-]

Description of the bug

When I start a 23.1 rc1 application I see

2022-05-26 14:40:04.103  WARN 67506 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Or [Ant [pattern='/favicon.ico'], Ant [pattern='/manifest.webmanifest'], Ant [pattern='/sw.js'], Ant [pattern='/sw-runtime-resources-precache.js'], Ant [pattern='/offline.html'], Ant [pattern='/offline-stub.html'], Ant [pattern='/icons/icon.png'], Ant [pattern='/themes/**'], Ant [pattern='/icons/icon-144x144.png'], Ant [pattern='/icons/icon-192x192.png'], Ant [pattern='/icons/icon-512x512.png'], Ant [pattern='/icons/icon-16x16.png'], Ant [pattern='/icons/icon-32x32.png'], Ant [pattern='/icons/icon-96x96.png'], Ant [pattern='/icons/icon-180x180.png'], Ant [pattern='/icons/icon-1125x2436.png'], Ant [pattern='/icons/icon-750x1334.png'], Ant [pattern='/icons/icon-1242x2208.png'], Ant [pattern='/icons/icon-640x1136.png']]. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-05-26 14:40:04.103  INFO 67506 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Will not secure Or [Ant [pattern='/favicon.ico'], Ant [pattern='/manifest.webmanifest'], Ant [pattern='/sw.js'], Ant [pattern='/sw-runtime-resources-precache.js'], Ant [pattern='/offline.html'], Ant [pattern='/offline-stub.html'], Ant [pattern='/icons/icon.png'], Ant [pattern='/themes/**'], Ant [pattern='/icons/icon-144x144.png'], Ant [pattern='/icons/icon-192x192.png'], Ant [pattern='/icons/icon-512x512.png'], Ant [pattern='/icons/icon-16x16.png'], Ant [pattern='/icons/icon-32x32.png'], Ant [pattern='/icons/icon-96x96.png'], Ant [pattern='/icons/icon-180x180.png'], Ant [pattern='/icons/icon-1125x2436.png'], Ant [pattern='/icons/icon-750x1334.png'], Ant [pattern='/icons/icon-1242x2208.png'], Ant [pattern='/icons/icon-640x1136.png']]
2022-05-26 14:40:04.103  WARN 67506 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/images/*.png']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.

Expected behavior

The default configuration shows no warnings

Minimal reproducible example

npx @vaadin/cli init --pre --auth test-auth
cd test-auth
mvn

Versions

Vaadin: 23.1.0.rc1
Flow: 23.1.0.rc2
Java: Homebrew 17.0.1
OS: aarch64 Mac OS X 12.3.1
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36

[MarcinVaadin]

Starter app should be updated after merging #14303

[mcollovati]

Creating an application with --latest (currently 23.2.3) I can now see only a single warning

022-10-06 17:08:53.082  WARN 80941 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/images/*.png']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.

It is originated by SecurityConfiguration.configure(WebSecurity web) in the generated project

    @Override
    public void configure(WebSecurity web) throws Exception {
        super.configure(web);
        web.ignoring().antMatchers("/images/*.png");
    }

[Artur-]

What should it be replaced with?

[mcollovati]

Should be moved in configure(HttpSecurity http) before super.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/images/*.png").permitAll();
        super.configure(http);
        setLoginView(http, LoginView.class, LOGOUT_URL);
    }