Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-11-04 00:28:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
spring-security/docs/modules/ROOT/pages/migration/servlet/authorization.adoc

118 lines
2.5 KiB
Plaintext
Raw Normal View History

Revert unnecessary merges on 6.0.x This commit removes unnecessary main-branch merges starting from 8750608b5bca45525c99d0a41a20ed02de93d8c7 and adds the following needed commit(s) that were made afterward: - 5dce82c48bc0b174838501c5a111b2de70822914
2023-10-31 15:11:45 -05:00
= Authorization Migrations
The following steps relate to how to finish migrating authorization support.
== Use `AuthorizationManager` for Method Security
There are no further migration steps for this feature.
== Use `AuthorizationManager` for Message Security
In 6.0, `<websocket-message-broker>` defaults `use-authorization-manager` to `true`.
So, to complete migration, remove any `websocket-message-broker@use-authorization-manager=true` attribute.
For example:
[tabs]
======
Xml::
+
[source,xml,role="primary"]
----
<websocket-message-broker use-authorization-manager="true"/>
----
======
changes to:
[tabs]
======
Xml::
+
[source,xml,role="primary"]
----
<websocket-message-broker/>
----
======
There are no further migrations steps for Java or Kotlin for this feature.
== Use `AuthorizationManager` for Request Security
In 6.0, `<http>` defaults `once-per-request` to `false`, `filter-all-dispatcher-types` to `true`, and `use-authorization-manager` to `true`.
Revert unnecessary merges on 6.1.x This commit removes unnecessary main-branch merges starting from 9f8db22b774fe78fef3598c07e184c371892c1c7 and adds the following needed commit(s) that were made afterward: - 4d6ff49b9d663d0f25454f3704a45c83b35da689 - ed6ff670d102736eea0ac360921c9015151ac630 - c823b007942a04a27d02c0a28bc2ad85e8790084 - 44fad21363bef1b06422be28c9bbfadde5e44804
2023-10-31 15:22:15 -05:00
Also, {security-api-url}org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.AbstractInterceptUrlRegistry.html#filterSecurityInterceptorOncePerRequest(boolean)[`authorizeRequests#filterSecurityInterceptorOncePerRequest`] defaults to `false` and xref:servlet/authorization/authorize-http-requests.adoc[`authorizeHttpRequests#filterAllDispatcherTypes`] defaults to `true`.
Revert unnecessary merges on 6.0.x This commit removes unnecessary main-branch merges starting from 8750608b5bca45525c99d0a41a20ed02de93d8c7 and adds the following needed commit(s) that were made afterward: - 5dce82c48bc0b174838501c5a111b2de70822914
2023-10-31 15:11:45 -05:00
So, to complete migration, any defaults values can be removed.
For example, if you opted in to the 6.0 default for `filter-all-dispatcher-types` or `authorizeHttpRequests#filterAllDispatcherTypes` like so:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
http
.authorizeHttpRequests((authorize) -> authorize
.filterAllDispatcherTypes(true)
// ...
)
----
Kotlin::
+
[source,java,role="secondary"]
----
http {
authorizeHttpRequests {
filterAllDispatcherTypes = true
// ...
}
}
----
Xml::
+
[source,xml,role="secondary"]
----
<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>
----
======
then the defaults may be removed:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
http
.authorizeHttpRequests((authorize) -> authorize
// ...
)
----
Kotlin::
+
[source,java,role="secondary"]
----
http {
authorizeHttpRequests {
// ...
}
}
----
Xml::
+
[source,xml,role="secondary"]
----
<http/>
----
======
[NOTE]
====
`once-per-request` applies only when `use-authorization-manager="false"` and `filter-all-dispatcher-types` only applies when `use-authorization-manager="true"`
====
Reference in New Issue Copy Permalink