Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-29 07:12:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Method Security Migration Steps

Browse Source
This commit is contained in:
Josh Cummings 2025-05-06 16:44:20 -06:00
parent 84db5bb312
commit 211b1b7285
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
1 changed files with 79 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
docs/modules/ROOT/pages/migration-7/authorization.adoc
View File

@ -22,3 +22,82 @@ public void doSomething(Long id) {
You must compile with `-parameters` to ensure that the parameter names are available at runtime.
For more information about this, please visit the https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-6.x#core-container[Upgrading to Spring Framework 6.1 page].
=== Favor `AnnotationTemplateExpressionDefaults` over `PrePostTemplateDefaults`
In Spring Security 7, `AnnotationTemplateExpressionDefaults` will be included by default.
If you are customizing `PrePostTemplateDefaults` or simply want to see how your application responds to `AnnotationTemplateExpressionDefaults`, you can publish an `AnnotationTemplateExpressionDefaults` bean instead of a `PrePostTemplateDefaults` method:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
static AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
return new AnnotationTemplateExpressionDefaults();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
companion object {
@Bean
fun templateExpressionDefaults() = AnnotationTemplateExpressionDefaults()
}
----
Xml::
+
[source,xml,role="secondary"]
----
<b:bean id="templateExpressionDefaults" class="org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults"/>
----
======
==== I Am Publishing an AuthorizationAdvisor Bean
If you are publishing an `AuthorizationAdvisor` bean, like `AuthorizationManagerBeforeMethodInterceptor`, `AuthorizationManagerAfterMethodInterceptor`, `PreFilterAuthorizationMethodInterceptor`, or `PostFilterAuthorizationMethodInterceptor`, you can do the same by calling `setTemplateDefaults` with an `AnnotationTemplateExpressionDefaults` instance instead:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
@Role(BeanDescription.ROLE_INFRASTRUCTURE)
static Advisor preFilter() {
PreFilterAuthorizationMethodInterceptor interceptor = new PreFilterAuthorizationMethodInterceptor();
interceptor.setTemplateDefaults(new AnnotationTemplateExpressionDefaults());
return interceptor;
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
companion object {
@Bean
@Role(BeanDescription.ROLE_INFRASTRUCTURE)
fun preFilter(): Advisor {
val interceptor = PreFilterAuthorizationMethodInterceptor()
interceptor.setTemplateDefaults(AnnotationTemplateExpressionDefaults)
return interceptor
}
}
----
======
=== Publish `AuthorizationAdvisor` instances instead of adding them in a `Customizer<AuthorizationAdvisorProxyFactory>`
While the ability to customize the `AuthorizationAdvisorProxyFactory` instance will remain in Spring Security 7, the ability to add advisors will be removed in favor of picking up published `AuthorizationAdvisor` beans.
If you are not calling `AuthorizationAdvisorProxyFactory#setAdvisors` or `AuthorizationAdvisorProxyFactory#addAdvisor`, you need do nothing.
If you are, publish the `AuthorizationAdvisor` bean instead and Spring Security will pick it up and apply it automatically.