Spring Security protected void configure(HttpSecurity http) Please explain the proper use of " and() ". What does it mean?

Question

I have lots and lots of examples from many search results in this platform and others, but I can't find an explanation of the " and() ". Obviously some kind of delimiter. Possibly doing the logical AND (&&) but maybe not.

I want to understand proper usage and what it does...what it means.

I hope this question is salient and the answers useful for others

Reference: https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html#configure-org.springframework.security.config.annotation.web.builders.HttpSecurity-

Then inside of that document:

protected void configure(HttpSecurity http)
                  throws java.lang.Exception

Override this method to configure the HttpSecurity. Typically subclasses should not invoke this method by calling super as it may override their configuration. The default configuration is:

http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();

Answer 1

• Lets take the following example. Both are equivalent.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated();

        http.formLogin()
                .loginPage("/login")
                .permitAll();

        http.logout()
                .permitAll();
    }

     protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

• Actually we are configuring different configurers here like ExpressionUrlAuthorizationConfigurer, FormLoginConfigurer and LogoutConfigurer in this example. Even though, they are configured separately in the first one, they are all applied together. So here AND plays the logical AND role.

• Now notice, for example, return type of.anyRequest().authenticated() is ExpressionInterceptUrlRegistry, but the method formLogin() is only present in object of type HttpSecurity, so in builder pattern and() plays the second role of switching return type, i.e as soon as you call, anyRequest().authenticated().and(), the return type is HttpSecurity so now it allows you start formLogin()

• See the Intellij showing the return types at various points.