This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.5!

Authorization Migrations

The following steps relate to how to finish migrating authorization support.

Use AuthorizationManager for Method Security

There are no further migration steps for this feature.

Use AuthorizationManager for Message Security

In 6.0, <websocket-message-broker> defaults use-authorization-manager to true. So, to complete migration, remove any websocket-message-broker@use-authorization-manager=true attribute.

For example:

  • Xml

<websocket-message-broker use-authorization-manager="true"/>

changes to:

  • Xml

<websocket-message-broker/>

There are no further migrations steps for Java or Kotlin for this feature.

Use AuthorizationManager for Request Security

In 6.0, <http> defaults once-per-request to false, filter-all-dispatcher-types to true, and use-authorization-manager to true. Also, authorizeHttpRequests#filterAllDispatcherTypes defaults to true. So, to complete migration, any defaults values can be removed.

For example, if you opted in to the 6.0 default for filter-all-dispatcher-types or authorizeHttpRequests#filterAllDispatcherTypes like so:

  • Java

  • Kotlin

  • Xml

http
    .authorizeHttpRequests((authorize) -> authorize
        .filterAllDispatcherTypes(true)
        // ...
    )
http {
	authorizeHttpRequests {
		filterAllDispatcherTypes = true
        // ...
	}
}
<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>

then the defaults may be removed:

  • Java

  • Kotlin

  • Xml

http
    .authorizeHttpRequests((authorize) -> authorize
        // ...
    )
http {
	authorizeHttpRequests {
		// ...
	}
}
<http/>

once-per-request applies only when use-authorization-manager="false" and filter-all-dispatcher-types only applies when use-authorization-manager="true"

Compile With -parameters

Spring Framework 6.1 removes LocalVariableTableParameterNameDiscoverer. This affects how @PreAuthorize and other method security annotations will process parameter names. If you are using method security annotations with parameter names, for example:

Method security annotation using id parameter name
@PreAuthorize("@authz.checkPermission(#id, authentication)")
public void doSomething(Long id) {
    // ...
}

You must compile with -parameters to ensure that the parameter names are available at runtime. For more information about this, please visit the Upgrading to Spring Framework 6.1 page.