Authorization Migrations
The following steps relate to how to finish migrating authorization support.
Use AuthorizationManager for Message Security
In 6.0, <websocket-message-broker> defaults use-authorization-manager to true.
So, to complete migration, remove any websocket-message-broker@use-authorization-manager=true attribute.
For example:
-
Xml
<websocket-message-broker use-authorization-manager="true"/>changes to:
-
Xml
<websocket-message-broker/>There are no further migrations steps for Java or Kotlin for this feature.
Use AuthorizationManager for Request Security
In 6.0, <http> defaults once-per-request to false, filter-all-dispatcher-types to true, and use-authorization-manager to true.
Also, authorizeHttpRequests#filterAllDispatcherTypes defaults to true.
So, to complete migration, any defaults values can be removed.
For example, if you opted in to the 6.0 default for filter-all-dispatcher-types or authorizeHttpRequests#filterAllDispatcherTypes like so:
-
Java
-
Kotlin
-
Xml
http
.authorizeHttpRequests((authorize) -> authorize
.filterAllDispatcherTypes(true)
// ...
)http {
authorizeHttpRequests {
filterAllDispatcherTypes = true
// ...
}
}<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>then the defaults may be removed:
-
Java
-
Kotlin
-
Xml
http
.authorizeHttpRequests((authorize) -> authorize
// ...
)http {
authorizeHttpRequests {
// ...
}
}<http/>|
|
Compile With -parameters
Spring Framework 6.1 removes LocalVariableTableParameterNameDiscoverer.
This affects how @PreAuthorize and other method security annotations will process parameter names.
If you are using method security annotations with parameter names, for example:
id parameter name@PreAuthorize("@authz.checkPermission(#id, authentication)")
public void doSomething(Long id) {
// ...
}You must compile with -parameters to ensure that the parameter names are available at runtime.
For more information about this, please visit the Upgrading to Spring Framework 6.1 page.
