spring-projects
diff --git a/‎docs/modules/ROOT/pages/servlet/authentication/logout.adoc
Lines changed: 4 additions & 4 deletions b/‎docs/modules/ROOT/pages/servlet/authentication/logout.adoc
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc
Lines changed: 6 additions & 2 deletions b/‎docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc
Lines changed: 6 additions & 2 deletions
diff --git a/‎docs/modules/ROOT/pages/servlet/authentication/passwords/digest.adoc
Lines changed: 4 additions & 2 deletions b/‎docs/modules/ROOT/pages/servlet/authentication/passwords/digest.adoc
Lines changed: 4 additions & 2 deletions
diff --git a/‎docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc
Lines changed: 8 additions & 8 deletions b/‎docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc
Lines changed: 8 additions & 8 deletions
diff --git a/‎docs/modules/ROOT/pages/servlet/authentication/session-management.adoc
Lines changed: 12 additions & 8 deletions b/‎docs/modules/ROOT/pages/servlet/authentication/session-management.adoc
Lines changed: 12 additions & 8 deletions
diff --git a/‎docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
Lines changed: 12 additions & 4 deletions b/‎docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
Lines changed: 12 additions & 4 deletions
@@ -4,7 +4,7 @@
 [[logout-java-configuration]]
 == Logout Java/Kotlin Configuration
 
-When using the `{security-api-url}org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html[WebSecurityConfigurerAdapter]`, logout capabilities are automatically applied.
+When injecting the `{security-api-url}org/springframework/security/config/annotation/web/builders/HttpSecurity.html[HttpSecurity]` bean, logout capabilities are automatically applied.
 The default is that accessing the URL `/logout` will log the user out by:
 
 - Invalidating the HTTP Session
@@ -19,7 +19,7 @@ Similar to configuring login capabilities, however, you also have various option
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .logout(logout -> logout                                                // <1>
             .logoutUrl("/my/logout")                                            // <2>
@@ -36,7 +36,7 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 -----
-override fun configure(http: HttpSecurity) {
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
         logout {
             logoutUrl = "/my/logout"                              // <1>
@@ -47,12 +47,12 @@ override fun configure(http: HttpSecurity) {
             deleteCookies(cookieNamesToClear)                     // <6>
         }
     }
+    // ...
 }
 -----
 ====
 
 <1> Provides logout support.
-This is automatically applied when using `WebSecurityConfigurerAdapter`.
 <2> The URL that triggers log out to occur (default is `/logout`).
 If CSRF protection is enabled (default), then the request must also be a POST.
 For more information, please consult the {security-api-url}org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.html#logoutUrl-java.lang.String-[Javadoc].
 
@@ -62,10 +62,12 @@ A minimal, explicit configuration can be found below:
 [source,java,role="primary"]
 .Java
 ----
-protected void configure(HttpSecurity http) {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
 	http
 		// ...
 		.httpBasic(withDefaults());
+	return http.build();
 }
 ----
 
@@ -81,11 +83,13 @@ protected void configure(HttpSecurity http) {
 [source,kotlin,role="secondary"]
 .Kotlin
 ----
-fun configure(http: HttpSecurity) {
+@Bean
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 	http {
 		// ...
 		httpBasic { }
 	}
+	return http.build()
 }
 ----
 ====
@@ -1,4 +1,4 @@
-[[servlet-authentication-digest]]
+**[[**servlet-authentication-digest]]
 = Digest Authentication
 
 This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication] which is provided `DigestAuthenticationFilter`.
@@ -57,11 +57,13 @@ DigestAuthenticationFilter digestAuthenticationFilter() {
 	result.setAuthenticationEntryPoint(entryPoint());
 }
 
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	http
 		// ...
 		.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
 		.addFilterBefore(digestFilter());
+	return http.build();
 }
 ----
 
 
@@ -71,10 +71,10 @@ A minimal, explicit Java configuration can be found below:
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) {
+public SecurityFilterChain filterChain(HttpSecurity http) {
 	http
-		// ...
 		.formLogin(withDefaults());
+	// ...
 }
 ----
 
@@ -90,11 +90,11 @@ protected void configure(HttpSecurity http) {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 	http {
-		// ...
 		formLogin { }
 	}
+	// ...
 }
 ----
 ====
@@ -110,13 +110,13 @@ The configuration below demonstrates how to provide a custom log in form.
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+public SecurityFilterChain filterChain(HttpSecurity http) {
 	http
-		// ...
 		.formLogin(form -> form
 			.loginPage("/login")
 			.permitAll()
 		);
+	// ...
 }
 ----
 
@@ -133,14 +133,14 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 	http {
-		// ...
 		formLogin {
 			loginPage = "/login"
 			permitAll()
 		}
 	}
+	// ...
 }
 ----
 ====
 
@@ -11,12 +11,13 @@ This is achieved through the `session-management` element:
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception{
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .sessionManagement(session -> session
             .invalidSessionUrl("/invalidSession.htm")
         );
+    return http.build();
 }
 ----
 
@@ -38,12 +39,13 @@ You may be able to explicitly delete the JSESSIONID cookie on logging out, for e
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception{
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .logout(logout -> logout
             .deleteCookies("JSESSIONID")
         );
+    return http.build();
 }
 ----
 
@@ -105,12 +107,13 @@ Then add the following lines to your application context:
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .sessionManagement(session -> session
             .maximumSessions(1)
         );
+    return http.build();
 }
 ----
 
@@ -134,13 +137,14 @@ Often you would prefer to prevent a second login, in which case you can use
 .Java
 [source,java,role="primary"]
 ----
-@Override
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) {
     http
         .sessionManagement(session -> session
             .maximumSessions(1)
             .maxSessionsPreventsLogin(true)
         );
+    return http.build();
 }
 ----
 
 
@@ -34,12 +34,14 @@ The explicit configuration looks like:
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	http
 		// ...
 		.authorizeRequests(authorize -> authorize
 			.anyRequest().authenticated()
 		);
+	return http.build();
 }
 ----
 
@@ -55,13 +57,15 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+@Bean
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
         // ...
         authorizeRequests {
             authorize(anyRequest, authenticated)
         }
     }
+    return http.build()
 }
 ----
 ====
@@ -73,7 +77,8 @@ We can configure Spring Security to have different rules by adding more rules in
 .Java
 [source,java,role="primary"]
 ----
-protected void configure(HttpSecurity http) throws Exception {
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	http
 		// ...
 		.authorizeRequests(authorize -> authorize                                  // <1>
@@ -82,6 +87,7 @@ protected void configure(HttpSecurity http) throws Exception {
 			.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")   // <4>
 			.anyRequest().denyAll()                                                // <5>
 		);
+	return http.build();
 }
 ----
 
@@ -104,7 +110,8 @@ protected void configure(HttpSecurity http) throws Exception {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
-fun configure(http: HttpSecurity) {
+@Bean
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http {
         authorizeRequests { // <1>
             authorize("/resources/**", permitAll) // <2>
@@ -116,6 +123,7 @@ fun configure(http: HttpSecurity) {
             authorize(anyRequest, denyAll) // <5>
         }
     }
+    return http.build()
 }
 ----
 ====