authorizeRequests() vs. authorizeHttpRequests​(Customizer<AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry>

Question

I want to configure my spring application security, all of requests should be authenticated before being served.

So I created a filter chain bean:

    @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
            throws Exception {
        return http
            .authorizeRequests().anyRequest().authenticated()
            .and().formLogin()
            .and().build();
    }

I also found out authorizeRequests method has an overload version which accepts an Customizer interface parameter. So I tried the parameterized version.

    @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
            throws Exception {
        return http
            .authorizeRequests(authorizeRequests ->
                authorizeRequests.anyRequest().authenticated()
            )

            .formLogin()
            .and().build();
    }

I noticed parameterized authorizeRequests method would return the same HttpSecurity object so you can keep configuring without calling and().

Is that the only difference between them ? If that so, wouldn't this overloaded version seemed to be redundant ?

Answer 1

Both ways of declaring authorizeRequests are valid. The one that accepts a customizer is a way to make your code easier to read because it avoids multiple indentation levels. Using the lambda customizer is recommended.

The difference between authorizeRequests and authorizeHttpRequests is explained here. The authorizeHttpRequests uses the new simplified AuthorizationManager API and the AuthorizationFilter, while authorizeRequests uses the AccessDecisionManager and FilterSecurityInterceptor. The latter will be deprecated in future version of Spring Security.