This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.5!

Authorization Changes

The following sections relate to how to adapt to changes in the authorization support.

Method Security

Compile With -parameters

Spring Framework 6.1 removes LocalVariableTableParameterNameDiscoverer. This affects how @PreAuthorize and other method security annotations will process parameter names. If you are using method security annotations with parameter names, for example:

Method security annotation using id parameter name
@PreAuthorize("@authz.checkPermission(#id, authentication)")
public void doSomething(Long id) {
    // ...
}

You must compile with -parameters to ensure that the parameter names are available at runtime. For more information about this, please visit the Upgrading to Spring Framework 6.1 page.

Favor AnnotationTemplateExpressionDefaults over PrePostTemplateDefaults

In Spring Security 7, AnnotationTemplateExpressionDefaults will be included by default.

If you are customizing PrePostTemplateDefaults or simply want to see how your application responds to AnnotationTemplateExpressionDefaults, you can publish an AnnotationTemplateExpressionDefaults bean instead of a PrePostTemplateDefaults method:

  • Java

  • Kotlin

  • Xml

@Bean
static AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
	return new AnnotationTemplateExpressionDefaults();
}
companion object {
    @Bean
    fun templateExpressionDefaults() = AnnotationTemplateExpressionDefaults()
}
<b:bean id="templateExpressionDefaults" class="org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults"/>

I Am Publishing an AuthorizationAdvisor Bean

If you are publishing an AuthorizationAdvisor bean, like AuthorizationManagerBeforeMethodInterceptor, AuthorizationManagerAfterMethodInterceptor, PreFilterAuthorizationMethodInterceptor, or PostFilterAuthorizationMethodInterceptor, you can do the same by calling setTemplateDefaults with an AnnotationTemplateExpressionDefaults instance instead:

  • Java

  • Kotlin

@Bean
@Role(BeanDescription.ROLE_INFRASTRUCTURE)
static Advisor preFilter() {
	PreFilterAuthorizationMethodInterceptor interceptor = new PreFilterAuthorizationMethodInterceptor();
	interceptor.setTemplateDefaults(new AnnotationTemplateExpressionDefaults());
	return interceptor;
}
companion object {
    @Bean
    @Role(BeanDescription.ROLE_INFRASTRUCTURE)
    fun preFilter(): Advisor {
        val interceptor = PreFilterAuthorizationMethodInterceptor()
        interceptor.setTemplateDefaults(AnnotationTemplateExpressionDefaults)
        return interceptor
    }
}

Publish AuthorizationAdvisor instances instead of adding them in a Customizer<AuthorizationAdvisorProxyFactory>

While the ability to customize the AuthorizationAdvisorProxyFactory instance will remain in Spring Security 7, the ability to add advisors will be removed in favor of picking up published AuthorizationAdvisor beans.

If you are not calling AuthorizationAdvisorProxyFactory#setAdvisors or AuthorizationAdvisorProxyFactory#addAdvisor, you need do nothing.

If you are, publish the AuthorizationAdvisor bean instead and Spring Security will pick it up and apply it automatically.