If you’ve been working with Spring Security for a while, it should come as no surprise that from time to time, they deprecate the old, and guide you towards the new. In 5.7.x such a change involves the often used WebSecurityConfigurerAdapter.

In Spring Security 5.7.0-M2 we deprecated the WebSecurityConfigurerAdapter, as we encourage users to move towards a component-based security configuration.

And while there are blog posts, release notes, and even an instruction video to highlight the required changes, in the end you will have to change your code. But what all those sources so far have failed to cover, is that there’s now also an easier way to migrate your code, using OpenRewrite.

With OpenRewrite you can apply migration recipes to your projects, to manipulate your source code. We’ve covered migration to JUnit 5 & Spring Boot 2.x on this blog before. This time we will look at the recently added migration of WebSecurityConfigurerAdapter.

Overview of required changes

First we’ll outline the changes made in two typical migrations.

HttpSecurity to SecurityFilterChain

If you were overriding void configure(HttpSecurity http), you should return a SecurityFilterChain bean instead.

Listing 1. HttpSecurity to SecurityFilterChain diff
diff --git a/src/main/java/com/github/timtebeek/HttpSecurityConfiguration.java b/src/main/java/com/github/timtebeek/HttpSecurityConfiguration.java
index e3cd441..fc8a4a8 100644
--- a/src/main/java/com/github/timtebeek/HttpSecurityConfiguration.java
+++ b/src/main/java/com/github/timtebeek/HttpSecurityConfiguration.java
@@ -1,19 +1,21 @@
 package com.github.timtebeek;

+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;

 import static org.springframework.security.config.Customizer.withDefaults;

-class HttpSecurityConfiguration extends WebSecurityConfigurerAdapter {
+class HttpSecurityConfiguration {

-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+  @Bean
+  SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
       .authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
+    return http.build();


WebSecurity to WebSecurityCustomizer

If you were overriding void configure(WebSecurity web), you should return a WebSecurityCustomizer bean instead.

Listing 2. WebSecurity to WebSecurityCustomizer diff
diff --git a/src/main/java/com/github/timtebeek/WebSecurityConfiguration.java b/src/main/java/com/github/timtebeek/WebSecurityConfiguration.java
index b76dd45..807da37 100644
--- a/src/main/java/com/github/timtebeek/WebSecurityConfiguration.java
+++ b/src/main/java/com/github/timtebeek/WebSecurityConfiguration.java
@@ -1,15 +1,18 @@
 package com.github.timtebeek;

+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;

-class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+class WebSecurityConfiguration {

-  @Override
-  public void configure(WebSecurity web) {
-     web.ignoring().antMatchers("/ignore1", "/ignore2");
+  @Bean
+  WebSecurityCustomizer webSecurityCustomizer() {
+    return (web) -> {
+      web.ignoring().antMatchers("/ignore1", "/ignore2");
+    };


Running OpenRewrite

Now that the migration goals have been clearly established, all we need to do is to invoke OpenRewrite with the respective arguments. Run the below command in your Maven project root.

Listing 3. WebSecurityConfigurerAdapter migration recipe command
mvn org.openrewrite.maven:rewrite-maven-plugin:4.33.0:run \
  -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-spring:4.26.0 \

Or if you’re using Gradle, have a look at the Gradle usage instructions.

Once run, you should see changes applied to your WebSecurityConfigurerAdapter Java class; taking you from the deprecated interface to the new Component-based security configuration.


While deprecations can be a burden on developers, sometimes they are essential for frameworks to evolve. Applying OpenRewrite makes it easy to stay up to date with recent developments, whether that’s in Spring Security, or other supported frameworks.

Consider taking part in our Choose Your Own Adventure with Spring Security workshop at JDriven, if you would like to learn more about using or updating Spring Security.