Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs

Closes gh-10003

Author: eleftherias

docs/modules/ROOT/pages/servlet/authentication/logout.adoc

@@ -6,7 +6,7 @@ This section covers how to customize the handling of logouts.
 [[logout-java-configuration]]
 == Logout Java/Kotlin Configuration
 
-When using the `{security-api-url}org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html[WebSecurityConfigurerAdapter]`, logout capabilities are automatically applied.
+When using the `{security-api-url}org/springframework/security/config/annotation/web/builders/HttpSecurity.html[HttpSecurity]` bean, logout capabilities are automatically applied.
 The default is that accessing the URL `/logout` logs the user out by:
 
 - Invalidating the HTTP Session
@@ -21,7 +21,7 @@ Similar to configuring login capabilities, however, you also have various option
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .logout(logout -> logout                                                // <1>
             .logoutUrl("/my/logout")                                            // <2>
@@ -38,7 +38,7 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 -----
-override fun configure(http: HttpSecurity) {
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
         logout {
             logoutUrl = "/my/logout"                              // <1>
@@ -49,12 +49,12 @@ override fun configure(http: HttpSecurity) {
             deleteCookies(cookieNamesToClear)                     // <6>
         }
     }
+    // ...
 }
 -----
 ====
 
 <1> Provides logout support.
-This is automatically applied when using `WebSecurityConfigurerAdapter`.
 <2> The URL that triggers log out to occur (the default is `/logout`).
 If CSRF protection is enabled (the default), the request must also be a POST.
 For more information, see {security-api-url}org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.html#logoutUrl-java.lang.String-[`logoutUrl(java.lang.String logoutUrl)`].

docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc

@@ -64,10 +64,12 @@ The following example shows a minimal, explicit configuration:
 [source,java,role="primary"]
 .Java
 ----
-protected void configure(HttpSecurity http) {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
 	http
 		// ...
 		.httpBasic(withDefaults());
+	return http.build();
 }
 ----
 
@@ -83,11 +85,13 @@ protected void configure(HttpSecurity http) {
 [source,kotlin,role="secondary"]
 .Kotlin
 ----
-fun configure(http: HttpSecurity) {
+@Bean
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 	http {
 		// ...
 		httpBasic { }
 	}
+	return http.build()
 }
 ----
 ====

docs/modules/ROOT/pages/servlet/authentication/passwords/digest.adoc

@@ -1,4 +1,4 @@
-[[servlet-authentication-digest]]
+**[[**servlet-authentication-digest]]
 = Digest Authentication
 
 This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.
@@ -58,11 +58,13 @@ DigestAuthenticationFilter digestAuthenticationFilter() {
 	result.setAuthenticationEntryPoint(entryPoint());
 }
 
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	http
 		// ...
 		.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
 		.addFilterBefore(digestFilter());
+	return http.build();
 }
 ----
 

docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc

@@ -71,10 +71,10 @@ The following example shows a minimal, explicit Java configuration:
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) {
+public SecurityFilterChain filterChain(HttpSecurity http) {
 	http
-		// ...
 		.formLogin(withDefaults());
+	// ...
 }
 ----
 
@@ -90,11 +90,11 @@ protected void configure(HttpSecurity http) {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 	http {
-		// ...
 		formLogin { }
 	}
+	// ...
 }
 ----
 ====
@@ -110,13 +110,13 @@ The following configuration demonstrates how to provide a custom login form.
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+public SecurityFilterChain filterChain(HttpSecurity http) {
 	http
-		// ...
 		.formLogin(form -> form
 			.loginPage("/login")
 			.permitAll()
 		);
+	// ...
 }
 ----
 
@@ -133,14 +133,14 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 	http {
-		// ...
 		formLogin {
 			loginPage = "/login"
 			permitAll()
 		}
 	}
+	// ...
 }
 ----
 ====

docs/modules/ROOT/pages/servlet/authentication/session-management.adoc

@@ -11,12 +11,13 @@ To do so, configure the `session-management` element:
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception{
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .sessionManagement(session -> session
             .invalidSessionUrl("/invalidSession.htm")
         );
+    return http.build();
 }
 ----
 
@@ -38,12 +39,13 @@ You may be able to explicitly delete the `JSESSIONID` cookie on logging out -- f
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception{
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .logout(logout -> logout
             .deleteCookies("JSESSIONID")
         );
+    return http.build();
 }
 ----
 
@@ -107,12 +109,13 @@ Then add the following lines to your application context:
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .sessionManagement(session -> session
             .maximumSessions(1)
         );
+    return http.build();
 }
 ----
 
@@ -135,13 +138,14 @@ Often, you would prefer to prevent a second login. In that case, you can use:
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .sessionManagement(session -> session
             .maximumSessions(1)
             .maxSessionsPreventsLogin(true)
         );
+    return http.build();
 }
 ----
 

docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc

@@ -37,12 +37,14 @@ The following listing shows the explicit configuration:
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	http
 		// ...
 		.authorizeRequests(authorize -> authorize
 			.anyRequest().authenticated()
 		);
+	return http.build();
 }
 ----
 
@@ -58,13 +60,15 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+@Bean
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
         // ...
         authorizeRequests {
             authorize(anyRequest, authenticated)
         }
     }
+    return http.build()
 }
 ----
 ====
@@ -76,7 +80,8 @@ We can configure Spring Security to have different rules by adding more rules in
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	http
 		// ...
 		.authorizeRequests(authorize -> authorize                                  // <1>
@@ -85,6 +90,7 @@ protected void configure(HttpSecurity http) throws Exception {
 			.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")   // <4>
 			.anyRequest().denyAll()                                                // <5>
 		);
+	return http.build();
 }
 ----
 
@@ -107,7 +113,8 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+@Bean
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http {
         authorizeRequests { // <1>
             authorize("/resources/**", permitAll) // <2>
@@ -119,6 +126,7 @@ fun configure(http: HttpSecurity) {
             authorize(anyRequest, denyAll) // <5>
         }
     }
+    return http.build()
 }
 ----
 <1> There are multiple authorization rules specified.