WebSecurityConfigurerAdapter migration recipe often not applied

There’s a hint from @BoykoAlex in this https://github.com/openrewrite/rewrite-spring/pull/202#issuecomment-1155782542

I have pushed the revised version of the Recipe to play it safe when non applicable methods are overridden and/or used within the same class declaration.

Tried it on a few projects, but it seems the play-it-safe is quite restrictive. Having any unrelated method in the same class is already enough for the migration to back off. Consider the following sample, where I’ve only added a single line method to the first assertChanged test in WebSecurityConfigurerAdapterTest.kt.

package com.example.websecuritydemo;

import static org.springframework.security.config.Customizer.withDefaults;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests((authz) -> authz
                .anyRequest().authenticated()
            )
            .httpBasic(withDefaults());
    }

    void unrelatedMethod() {} // <-- This is enough for the recipe to back off

}

That leaves a lot of projects which are not migrated, as it’s not uncommon to add additional methods/beans in the same configuration file. For instance a sample project here merely adds a bean and changes the JWT converter, as suggested in the official spring security documentation. Yet the restrictions in the recipe around applicable classes entirely skip this configuration class.

I’m not sure what the exact motivations were to play it safe, but it would seem to me we might want to loosen those restrictions just a bit to be workable for common cases.