For the latest stable version, please use Spring Security 6.5.3!spring-doc.cn

Authorization Migrations

The following steps relate to how to finish migrating authorization support.spring-doc.cn

Use AuthorizationManager for Method Security

There are no further migration steps for this feature.spring-doc.cn

Use AuthorizationManager for Message Security

In 6.0, <websocket-message-broker> defaults use-authorization-manager to true. So, to complete migration, remove any websocket-message-broker@use-authorization-manager=true attribute.spring-doc.cn

For example:spring-doc.cn

<websocket-message-broker use-authorization-manager="true"/>

changes to:spring-doc.cn

<websocket-message-broker/>

There are no further migrations steps for Java or Kotlin for this feature.spring-doc.cn

Use AuthorizationManager for Request Security

In 6.0, <http> defaults once-per-request to false, filter-all-dispatcher-types to true, and use-authorization-manager to true. Also, authorizeRequests#filterSecurityInterceptorOncePerRequest defaults to false and authorizeHttpRequests#filterAllDispatcherTypes defaults to true. So, to complete migration, any defaults values can be removed.spring-doc.cn

For example, if you opted in to the 6.0 default for filter-all-dispatcher-types or authorizeHttpRequests#filterAllDispatcherTypes like so:spring-doc.cn

http
    .authorizeHttpRequests((authorize) -> authorize
        .filterAllDispatcherTypes(true)
        // ...
    )
http {
	authorizeHttpRequests {
		filterAllDispatcherTypes = true
        // ...
	}
}
<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>

then the defaults may be removed:spring-doc.cn

http
    .authorizeHttpRequests((authorize) -> authorize
        // ...
    )
http {
	authorizeHttpRequests {
		// ...
	}
}
<http/>

once-per-request applies only when use-authorization-manager="false" and filter-all-dispatcher-types only applies when use-authorization-manager="true"spring-doc.cn