For the latest stable version, please use Spring Security 6.4.2!

Authorization Changes

The following sections relate to how to adapt to changes in the authorization support.

Method Security

Compile With -parameters

Spring Framework 6.1 removes LocalVariableTableParameterNameDiscoverer. This affects how @PreAuthorize and other method security annotations will process parameter names. If you are using method security annotations with parameter names, for example:

Method security annotation using id parameter name
@PreAuthorize("@authz.checkPermission(#id, authentication)")
public void doSomething(Long id) {
    // ...
}

You must compile with -parameters to ensure that the parameter names are available at runtime. For more information about this, please visit the Upgrading to Spring Framework 6.1 page.