Expected Behavior
The documentation for ServerHttpSecurity should showcase the modern, non-deprecated Lambda DSL style for configuring SecurityWebFilterChain. This is the current best practice and provides a future-proof example for users.
The code example should look like this:
import org.springframework.security.config.Customizer;
// ...
@Bean
public SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(authorize -> authorize.anyExchange().authenticated())
.httpBasic(Customizer.withDefaults())
.formLogin(Customizer.withDefaults());
return http.build();
}
Current Behavior
The documentation currently displays an example using the older, builder-style configuration. This uses several methods that were formally deprecated in Spring Security 6.1, including .authorizeExchange(), .and(), .httpBasic(), and .formLogin().
This is the code currently shown in the documentation:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.anyExchange().authenticated()
.and()
.httpBasic().and()
.formLogin();
return http.build();
}
Context
As a developer learning how to configure WebFlux security, I used the official documentation as my primary guide. When I implemented the provided example, my IDE immediately flagged all the chained methods as deprecated.
This can be confusing for new users, as it creates uncertainty about whether they are following the correct and most current best practices. The only workaround is to have prior knowledge of the Lambda DSL and to know that the documentation is out of sync with the API's current state.
Updating this example would provide a clearer, more modern learning path for developers and ensure the documentation accurately reflects the recommended approach for configuring Spring Security.
I am happy to submit a pull request to update the relevant documentation file.