Migrating from Deprecated autorizeRequests()

In Spring Boot 3, the authorizeRequests() method of the WebSecurityConfigurerAdapter class has been deprecated. This method was previously used to configure the authorization rules for securing web applications.

To secure your application in Spring Boot 3, you should use the HttpSecurity class and its authorizeHttpRequests() method instead.

authorizeHttpRequests() example

Here’s an example of how you can use HttpSecurity in your application:

@Configuration
@EnableWebSecurity
public class WebSecurity {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.authorizeHttpRequests()
        .requestMatchers("/h2-console/**").permitAll()
        .anyRequest().authenticated()

         // Other configuration here
        
         return http.build();
    }
    
}

This example specifies that all requests to a /h2-console URL path and all its sub-sources should be allowed.  Notice how the authorizeHttpRequests() method is used with requestMatchers() instead of antMatchers()?

I hope this tutorial was helpful to you. To learn more, check out the Spring Boot tutorials page.