org.openrewrite.java.security.spring.CsrfProtection generates deprecated WebSecurityConfigurerAdapter

[philippe-granet]

When using org.openrewrite.java.security:OwaspTopTen recipe, it call org.openrewrite.java.security.spring.CsrfProtection recipe that use deprecated WebSecurityConfigurerAdapter Spring class.
When -Werror is activated on Java compiler, it break build.

[WARNING] /builds/src/main/java/.../SecurityConfig.java:[9,30] org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter in org.springframework.security.config.annotation.web.configuration has been deprecated
...
[ERROR] COMPILATION ERROR : 
[ERROR] /builds/src/main/java/.../SecurityConfig.java: warnings found and -Werror specified

Documentation for migration: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter/

In Spring Security 5.7.0-M2 we deprecated the WebSecurityConfigurerAdapter, as we encourage users to move towards a component-based security configuration.

[timtebeek]

Hi @philippe-granet thanks for reporting your concern! Am I correct in deducing that you ran OwaspTopTen, which ran CsrfProtection, which generated a fully new SecurityConfig class that uses the outdated WebSecurityConfigurerAdapter?
Did it at least correctly fix the security issue in your case?

It seems like GenerateWebSecurityConfigurerAdapter indeed predates the deprecation by about half a year. We do separately have a recipe to move you away from WebSecurityConfigurerAdapter: https://docs.openrewrite.org/recipes/java/spring/security5/websecurityconfigureradapter

The way I see it now we have a couple of options.

1. Change the OwaspA10 recipeList use of CsrfProtection to add onlyIfSecurityConfig = true.
   This would for the moment at least stop it from adding outdated classes, but would like to applications without any security config not getting patched.
   

   rewrite-java-security/src/main/resources/META-INF/rewrite/owasp.yml

   Lines 109 to 115 in 7bc30ee

   	type: specs.openrewrite.org/v1beta/recipe
   	name: org.openrewrite.java.security.OwaspA10
   	displayName: Remediate OWASP A10:2021 Server-side request forgery (SSRF)
   	description: >
   	OWASP [A10:2021](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/) Server-Side Request Forgery (SSRF)
   	recipeList:
   	- org.openrewrite.java.security.spring.CsrfProtection

2. Follow up any iuse of GenerateWebSecurityConfigurerAdapter with org.openrewrite.java.spring.security5.WebSecurityConfigurerAdapter to upgrade the generated class to the newer version.
   Some care would be needed to ensure we are at least on Spring Security 5.7+, or the configuration would not be picked up.

3. Alter GenerateWebSecurityConfigurerAdapter to look for and correctly insert either WebSecurityConfigurerAdapter or a SecurityConfiguration that does not extend WebSecurityConfigurerAdapter.

All of those issues would require some work. Which would suit your particular situation best?

[philippe-granet]

Thanks for your reply, solutions 2 or 3 suit me.