Fix Customizer.withDefaults() for authorizeHttpRequests #14344
Description
For Spring Boot 3.1.6 with Spring Security where the respective version used behind the scene is 6.1.5
Consider the following code:
@Configuration
@Profile("security")
@EnableWebSecurity(debug=true)
class SecurityConfig {
...
@Bean
SecurityFilterChain filterChain(HttpSecurity http,
@Qualifier("inspectorFilter") Filter filter) throws Exception {
http.authorizeHttpRequests(Customizer.withDefaults())
.formLogin(Customizer.withDefaults())
.addFilterBefore(filter, AnonymousAuthenticationFilter.class);
return http.build();
}
}
Observe the authorizeHttpRequests and formLogin methods use Customizer.withDefaults() when the app starts well, it does not start but fails with the following error message:
[ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt:
org.springframework.beans.factory.UnsatisfiedDependencyException:
Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method 'setFilterChains' parameter 0:
Error creating bean with name 'filterChain' defined in class path resource [com/manuel/jordan/config/SecurityConfig.class]:
Failed to instantiate [org.springframework.security.web.SecurityFilterChain]:
Factory method 'filterChain' threw exception with message:
At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())
...
org.springframework.beans.factory.UnsatisfiedDependencyException:
Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method 'setFilterChains' parameter 0:
Error creating bean with name 'filterChain' defined in class path resource [com/manuel/jordan/config/SecurityConfig.class]:
Failed to instantiate [org.springframework.security.web.SecurityFilterChain]:
Factory method 'filterChain' threw exception with message:
At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())
at
...
Caused by: org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'filterChain' defined in class path resource [com/manuel/jordan/config/SecurityConfig.class]:
Failed to instantiate [org.springframework.security.web.SecurityFilterChain]:
Factory method 'filterChain' threw exception with message:
At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())
at
...
Caused by: org.springframework.beans.BeanInstantiationException:
Failed to instantiate [org.springframework.security.web.SecurityFilterChain]:
Factory method 'filterChain' threw exception with message:
At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())
at
...
Caused by: java.lang.IllegalStateException: At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())
at
The solution is change:
- from
http.authorizeHttpRequests(Customizer.withDefaults()) - to
http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
It as indicated in the error stack trace.
I am not sure if it is expected, but if not - Fix Customizer.withDefaults() for authorizeHttpRequests
Thanks for your understanding
- Manuel