spring-security form authentication migration to annotations

Question

I have the following spring-security config:

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

<http use-expressions="true">
    <intercept-url pattern="/edit/**" access="hasRole('EDITOR')" />
    <form-login login-page="/login" authentication-failure-url="/loginfailed" />
    <logout logout-success-url="/" delete-cookies="JSESSIONID" />
    <remember-me user-service-ref="userDetailsService"/>
</http>

<b:bean id="encoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>
</b:beans>

And I'm trying to migrate it to annotation-based config:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests().antMatchers("/edit/**").hasRole("EDITOR").and()
                .logout().logoutSuccessUrl("/").deleteCookies("JSESSIONID").and()
                .formLogin().loginPage("/login").failureUrl("/loginfailed").and()
                .rememberMe().userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
    }

    @Bean
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder();
    }

}

Also I have social-networks sign-in functionality and for that I used autowired RequestCache. And this bean does not appear in the application context with annotation based configuration. What I am missing?

Answer 1

RequestCache problem is solved the following way:

@Bean
public RequestCache requestCache() {
    return new HttpSessionRequestCache();
}

And with changing configuration:

    http
            .requestCache().requestCache(requestCache()).and()
            .authorizeRequests().antMatchers("/edit/**").hasRole("EDITOR").and()...

Also migrating to annotation-based config many defaults are changing - "j_username" to "username", "j_password" to "password", "j_spring_security_check" to "login", "j_spring_security_logout" to "logout" and csrf hidden token in forms becomes required.