Add Request Security Migration Steps

Issue gh-11337
This commit is contained in:
Josh Cummings 2022-10-28 12:25:44 -06:00
parent c3d129aa56
commit 4f5372a3a7
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 71 additions and 0 deletions

View File

@ -75,6 +75,77 @@ changes to:
There are no further migrations steps for Java or Kotlin for this feature. There are no further migrations steps for Java or Kotlin for this feature.
=== Use `AuthorizationManager` for Request Security
In 6.0, `<http>` defaults `once-per-request` to `false`, `filter-all-dispatcher-types` to `true`, and `use-authorization-manager` to `true`.
Also, xref:servlet/authorization/authorize-requests.adoc#filtersecurityinterceptor-every-request[`authorizeRequests#filterSecurityInterceptorOncePerRequest`] defaults to `false` and xref:servlet/authorization/authorize-http-requests.adoc[`authorizeHttpRequests#filterAllDispatcherTypes`] defaults to `true`.
So, to complete migration, any defaults values can be removed.
For example, if you opted in to the 6.0 default for `filter-all-dispatcher-types` or `authorizeHttpRequests#filterAllDispatcherTypes` like so:
====
.Java
[source,java,role="primary"]
----
http
.authorizeHttpRequests((authorize) -> authorize
.filterAllDispatcherTypes(true)
// ...
)
----
.Kotlin
[source,java,role="secondary"]
----
http {
authorizeHttpRequests {
filterAllDispatcherTypes = true
// ...
}
}
----
.Xml
[source,xml,role="secondary"]
----
<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>
----
====
then the defaults may be removed:
====
.Java
[source,java,role="primary"]
----
http
.authorizeHttpRequests((authorize) -> authorize
// ...
)
----
.Kotlin
[source,java,role="secondary"]
----
http {
authorizeHttpRequests {
// ...
}
}
----
.Xml
[source,xml,role="secondary"]
----
<http/>
----
====
[NOTE]
====
`once-per-request` applies only when `use-authorization-manager="false"` and `filter-all-dispatcher-types` only applies when `use-authorization-manager="true"`
====
== Reactive == Reactive
=== Use `AuthorizationManager` for Method Security === Use `AuthorizationManager` for Method Security