This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.2!

Reactive

If you have already performed the initial migration steps for your Reactive application, you’re now ready to perform steps specific to Reactive applications.

Use AuthorizationManager for Method Security

In 6.0, @EnableReactiveMethodSecurity defaults useAuthorizationManager to true. So, to complete migration, @EnableReactiveMethodSecurity remove the useAuthorizationManager attribute:

  • Java

  • Kotlin

@EnableReactiveMethodSecurity(useAuthorizationManager = true)
@EnableReactiveMethodSecurity(useAuthorizationManager = true)

changes to:

  • Java

  • Kotlin

@EnableReactiveMethodSecurity
@EnableReactiveMethodSecurity

Propagate AuthenticationServiceExceptions

AuthenticationWebFilter propagates AuthenticationServiceExceptions to the ServerAuthenticationEntryPoint. Because AuthenticationServiceExceptions represent a server-side error instead of a client-side error, in 6.0, this changes to propagate them to the container.

So, if you opted into this behavior by setting rethrowAuthenticationServiceException too true, you can now remove it like so:

  • Java

  • Kotlin

AuthenticationFailureHandler bearerFailureHandler = new ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint);
bearerFailureHandler.setRethrowAuthenticationServiceException(true);
AuthenticationFailureHandler basicFailureHandler = new ServerAuthenticationEntryPointFailureHandler(basicEntryPoint);
basicFailureHandler.setRethrowAuthenticationServiceException(true);
val bearerFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint)
bearerFailureHandler.setRethrowAuthenticationServiceException(true)
val basicFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(basicEntryPoint)
basicFailureHandler.setRethrowAuthenticationServiceException(true)

changes to:

  • Java

  • Kotlin

AuthenticationFailureHandler bearerFailureHandler = new ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint);
AuthenticationFailureHandler basicFailureHandler = new ServerAuthenticationEntryPointFailureHandler(basicEntryPoint);
val bearerFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint)
val basicFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(basicEntryPoint)

If you configured the ServerAuthenticationFailureHandler only for the purpose of updating to 6.0, you can remove it completely.