Merge branch '2.6.x' into 2.7.x

Closes gh-31354

spring-boot-project/spring-boot-docs/src/docs/asciidoc/data/sql.adoc

@@ -337,7 +337,7 @@ More information on {spring-security-docs}/features/exploits/csrf.html[CSRF] and
 
 In simple setups, a `SecurityFilterChain` like the following can be used:
 
-include::code:DevProfileSecurityConfiguration[]
+include::code:DevProfileSecurityConfiguration[tag=!customizer]
 
 WARNING: The H2 console is only intended for use during development.
 In production, disabling CSRF protection or allowing frames for a website may create severe security risks.

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/exposeall/MySecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,8 +27,8 @@ public class MySecurityConfiguration {
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		http.requestMatcher(EndpointRequest.toAnyEndpoint())
+		http.requestMatcher(EndpointRequest.toAnyEndpoint());
-				.authorizeRequests((requests) -> requests.anyRequest().permitAll());
+		http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
 		return http.build();
 	}
 

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,14 +22,16 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 
+import static org.springframework.security.config.Customizer.withDefaults;
+
 @Configuration(proxyBeanMethods = false)
 public class MySecurityConfiguration {
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		http.requestMatcher(EndpointRequest.toAnyEndpoint())
+		http.requestMatcher(EndpointRequest.toAnyEndpoint());
-				.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+		http.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
-		http.httpBasic();
+		http.httpBasic(withDefaults());
 		return http.build();
 	}
 

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java

@@ -22,6 +22,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 
@@ -32,13 +33,18 @@ public class DevProfileSecurityConfiguration {
 	@Bean
 	@Order(Ordered.HIGHEST_PRECEDENCE)
 	SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
-		// @formatter:off
+		http.requestMatcher(PathRequest.toH2Console());
-		return http.requestMatcher(PathRequest.toH2Console())
+		http.authorizeRequests(yourCustomAuthorization());
-				// ... configuration for authorization
+		http.csrf((csrf) -> csrf.disable());
-				.csrf().disable()
+		http.headers((headers) -> headers.frameOptions().sameOrigin());
-				.headers().frameOptions().sameOrigin().and()
+		return http.build();
-				.build();
-		// @formatter:on
 	}
 
+	// tag::customizer[]
+	<T> Customizer<T> yourCustomAuthorization() {
+		return (t) -> {
+		};
+	}
+	// end::customizer[]
+
 }

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/howto/security/enablehttps/MySecurityConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,7 +27,7 @@ public class MySecurityConfig {
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// Customize the application security ...
-		http.requiresChannel().anyRequest().requiresSecure();
+		http.requiresChannel((channel) -> channel.anyRequest().requiresSecure());
 		return http.build();
 	}
 

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/howto/testing/slicetests/MyConfiguration.java

@@ -30,7 +30,7 @@ public class MyConfiguration {
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		http.authorizeRequests().anyRequest().authenticated();
+		http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
 		return http.build();
 	}
 

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/howto/testing/slicetests/MySecurityConfiguration.java

@@ -26,7 +26,7 @@ public class MySecurityConfiguration {
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		http.authorizeRequests().anyRequest().authenticated();
+		http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
 		return http.build();
 	}
 

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.java

@@ -26,8 +26,8 @@ public class MyOAuthClientConfiguration {
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		http.authorizeRequests().anyRequest().authenticated();
+		http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
-		http.oauth2Login().redirectionEndpoint().baseUri("custom-callback");
+		http.oauth2Login((login) -> login.redirectionEndpoint().baseUri("custom-callback"));
 		return http.build();
 	}
 

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.java

@@ -22,16 +22,18 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 
+import static org.springframework.security.config.Customizer.withDefaults;
+
 @Configuration(proxyBeanMethods = false)
 public class MyWebFluxSecurityConfiguration {
 
 	@Bean
 	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
-		http.authorizeExchange((spec) -> {
+		http.authorizeExchange((exchange) -> {
-			spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
+			exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
-			spec.pathMatchers("/foo", "/bar").authenticated();
+			exchange.pathMatchers("/foo", "/bar").authenticated();
 		});
-		http.formLogin();
+		http.formLogin(withDefaults());
 		return http.build();
 	}
 

spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.kt

@@ -16,12 +16,12 @@
 
 package org.springframework.boot.docs.data.sql.h2webconsole.springsecurity
 
-import org.springframework.boot.autoconfigure.security.servlet.PathRequest
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Profile
 import org.springframework.core.Ordered
 import org.springframework.core.annotation.Order
+import org.springframework.security.config.Customizer
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.web.SecurityFilterChain
 
@@ -32,10 +32,16 @@ class DevProfileSecurityConfiguration {
 	@Bean
 	@Order(Ordered.HIGHEST_PRECEDENCE)
 	fun h2ConsoleSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
-		return http.requestMatcher(PathRequest.toH2Console())
+		return http.authorizeHttpRequests(yourCustomAuthorization())
 			.csrf().disable()
 			.headers().frameOptions().sameOrigin().and()
 			.build()
 	}
 
+	// tag::customizer[]
+	private fun <T> yourCustomAuthorization(): Customizer<T> {
+		return Customizer.withDefaults<T>()
+	}
+	// end::customizer[]
+
 }