From 4f5372a3a7e8bebd76d45ae49518ad5203026b50 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 28 Oct 2022 12:25:44 -0600 Subject: [PATCH] Add Request Security Migration Steps Issue gh-11337 --- docs/modules/ROOT/pages/migration.adoc | 71 ++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/docs/modules/ROOT/pages/migration.adoc b/docs/modules/ROOT/pages/migration.adoc index 9fbd410922..6b93bdbafb 100644 --- a/docs/modules/ROOT/pages/migration.adoc +++ b/docs/modules/ROOT/pages/migration.adoc @@ -75,6 +75,77 @@ changes to: There are no further migrations steps for Java or Kotlin for this feature. +=== Use `AuthorizationManager` for Request Security + +In 6.0, `` defaults `once-per-request` to `false`, `filter-all-dispatcher-types` to `true`, and `use-authorization-manager` to `true`. +Also, xref:servlet/authorization/authorize-requests.adoc#filtersecurityinterceptor-every-request[`authorizeRequests#filterSecurityInterceptorOncePerRequest`] defaults to `false` and xref:servlet/authorization/authorize-http-requests.adoc[`authorizeHttpRequests#filterAllDispatcherTypes`] defaults to `true`. +So, to complete migration, any defaults values can be removed. + +For example, if you opted in to the 6.0 default for `filter-all-dispatcher-types` or `authorizeHttpRequests#filterAllDispatcherTypes` like so: + +==== +.Java +[source,java,role="primary"] +---- +http + .authorizeHttpRequests((authorize) -> authorize + .filterAllDispatcherTypes(true) + // ... + ) +---- + +.Kotlin +[source,java,role="secondary"] +---- +http { + authorizeHttpRequests { + filterAllDispatcherTypes = true + // ... + } +} +---- + +.Xml +[source,xml,role="secondary"] +---- + +---- +==== + +then the defaults may be removed: + +==== +.Java +[source,java,role="primary"] +---- +http + .authorizeHttpRequests((authorize) -> authorize + // ... + ) +---- + +.Kotlin +[source,java,role="secondary"] +---- +http { + authorizeHttpRequests { + // ... + } +} +---- + +.Xml +[source,xml,role="secondary"] +---- + +---- +==== + +[NOTE] +==== +`once-per-request` applies only when `use-authorization-manager="false"` and `filter-all-dispatcher-types` only applies when `use-authorization-manager="true"` +==== + == Reactive === Use `AuthorizationManager` for Method Security