For the latest stable version, please use Spring Security 6.4.2! |
Authorization Migrations
The following steps relate to how to finish migrating authorization support.
Use AuthorizationManager
for Message Security
In 6.0, <websocket-message-broker>
defaults use-authorization-manager
to true
.
So, to complete migration, remove any websocket-message-broker@use-authorization-manager=true
attribute.
For example:
-
Xml
<websocket-message-broker use-authorization-manager="true"/>
changes to:
-
Xml
<websocket-message-broker/>
There are no further migrations steps for Java or Kotlin for this feature.
Use AuthorizationManager
for Request Security
In 6.0, <http>
defaults once-per-request
to false
, filter-all-dispatcher-types
to true
, and use-authorization-manager
to true
.
Also, authorizeRequests#filterSecurityInterceptorOncePerRequest
defaults to false
and authorizeHttpRequests#filterAllDispatcherTypes
defaults to true
.
So, to complete migration, any defaults values can be removed.
For example, if you opted in to the 6.0 default for filter-all-dispatcher-types
or authorizeHttpRequests#filterAllDispatcherTypes
like so:
-
Java
-
Kotlin
-
Xml
http
.authorizeHttpRequests((authorize) -> authorize
.filterAllDispatcherTypes(true)
// ...
)
http {
authorizeHttpRequests {
filterAllDispatcherTypes = true
// ...
}
}
<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>
then the defaults may be removed:
-
Java
-
Kotlin
-
Xml
http
.authorizeHttpRequests((authorize) -> authorize
// ...
)
http {
authorizeHttpRequests {
// ...
}
}
<http/>
|