For the latest stable version, please use Spring Security 6.4.2!

Authorization Migrations

The following steps relate to how to finish migrating authorization support.

Use AuthorizationManager for Method Security

There are no further migration steps for this feature.

Use AuthorizationManager for Message Security

In 6.0, <websocket-message-broker> defaults use-authorization-manager to true. So, to complete migration, remove any websocket-message-broker@use-authorization-manager=true attribute.

For example:

  • Xml

<websocket-message-broker use-authorization-manager="true"/>

changes to:

  • Xml

<websocket-message-broker/>

There are no further migrations steps for Java or Kotlin for this feature.

Use AuthorizationManager for Request Security

In 6.0, <http> defaults once-per-request to false, filter-all-dispatcher-types to true, and use-authorization-manager to true. Also, authorizeRequests#filterSecurityInterceptorOncePerRequest defaults to false and authorizeHttpRequests#filterAllDispatcherTypes defaults to true. So, to complete migration, any defaults values can be removed.

For example, if you opted in to the 6.0 default for filter-all-dispatcher-types or authorizeHttpRequests#filterAllDispatcherTypes like so:

  • Java

  • Kotlin

  • Xml

http
    .authorizeHttpRequests((authorize) -> authorize
        .filterAllDispatcherTypes(true)
        // ...
    )
http {
	authorizeHttpRequests {
		filterAllDispatcherTypes = true
        // ...
	}
}
<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>

then the defaults may be removed:

  • Java

  • Kotlin

  • Xml

http
    .authorizeHttpRequests((authorize) -> authorize
        // ...
    )
http {
	authorizeHttpRequests {
		// ...
	}
}
<http/>

once-per-request applies only when use-authorization-manager="false" and filter-all-dispatcher-types only applies when use-authorization-manager="true"