openrewrite
UpgradeSpringBoot_3_2 change the security config in wrong way
What version of OpenRewrite are you using?
I am using IntelliJ IDEA OpenRewrite feature, guess it's latest version? It didn't print the version :(
How are you running OpenRewrite?
with this recipes only
org.openrewrite.java.spring.boot3.UpgradeSpringBoot_3_2
What is the smallest, simplest way to reproduce the problem?
http.httpBasic().disable();
http.csrf().disable();
http.cors();
http.requestMatchers()
.antMatchers(
"/api-XXX/",
"/api-XXX/**"
)
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
What did you expect to see?
something like this
http.httpBasic(AbstractHttpConfigurer::disable);
http.csrf(AbstractHttpConfigurer::disable);
http.cors(withDefaults());
http.securityMatchers(matchers -> matchers
.requestMatchers(
"/api-xxx/",
"/api-xxx/**"
)
);
return http.build();
What did you see instead?
http.httpBasic(withDefaults());
http.csrf(withDefaults());
http.cors(withDefaults());
http.requestMatchers(matchers -> matchers
.authorizeRequests(requests -> requests
.anyRequest()
.authenticated()));
return http.build();
It change the httpBasic and csrf to default, and this code not even runnable.
What is the full stack trace of any errors you encountered?
N/A But here is the log relate to this issue
Changes have been made to src\main\java\com\XXXX\config\SecurityConfig.java by:
org.openrewrite.java.spring.boot3.UpgradeSpringBoot_3_2
org.openrewrite.java.spring.boot3.UpgradeSpringBoot_3_1
org.openrewrite.java.spring.boot3.UpgradeSpringBoot_3_0
org.openrewrite.java.spring.boot2.UpgradeSpringBoot_2_7
org.openrewrite.java.spring.security5.UpgradeSpringSecurity_5_7
org.openrewrite.java.spring.security5.WebSecurityConfigurerAdapter
org.openrewrite.java.spring.security6.UpgradeSpringSecurity_6_0
org.openrewrite.java.spring.security5.UpgradeSpringSecurity_5_8
org.openrewrite.java.spring.security5.AuthorizeHttpRequests
org.openrewrite.java.spring.security5.UseNewRequestMatchers
org.openrewrite.java.spring.security6.UpgradeSpringSecurity_6_1
org.openrewrite.java.spring.security6.UpgradeSpringSecurity_6_0
org.openrewrite.java.spring.security5.UpgradeSpringSecurity_5_8
org.openrewrite.java.spring.security5.UseNewRequestMatchers
org.openrewrite.java.spring.boot2.HttpSecurityLambdaDsl
org.openrewrite.java.spring.security6.UpgradeSpringSecurity_6_2
org.openrewrite.java.spring.security6.UpgradeSpringSecurity_6_1
org.openrewrite.java.spring.security6.UpgradeSpringSecurity_6_0
org.openrewrite.java.spring.security5.UpgradeSpringSecurity_5_8
org.openrewrite.java.spring.security5.UseNewRequestMatchers
org.openrewrite.java.spring.boot2.HttpSecurityLambdaDsl
Are you interested in contributing a fix to OpenRewrite?
Sure, let me know what can I do.
Hi @abccbaandy ; Logging which recipes made changes is really helpful, and thanks for the offer to help explore a fix! I think the best way to start working towards a fix would be with unit tests similar to this one. https://github.com/openrewrite/rewrite-spring/blob/4ecc3f224e54723132720da0d2b2484717c82576/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HttpSecurityLambdaDslTest.java#L131-L165
That test case already covers the csrf change that above does not end up disabled; so we'd need to work out which other factors play in here, such as perhaps a combination of statements to migrate, or a number of different recipes affecting the same statements.
