Add Request Security Migration Steps

Issue gh-11337

docs/modules/ROOT/pages/migration.adoc

@@ -75,6 +75,77 @@ changes to:
 
 There are no further migrations steps for Java or Kotlin for this feature.
 
+=== Use `AuthorizationManager` for Request Security
+
+In 6.0, `<http>` defaults `once-per-request` to `false`, `filter-all-dispatcher-types` to `true`, and `use-authorization-manager` to `true`.
+Also, xref:servlet/authorization/authorize-requests.adoc#filtersecurityinterceptor-every-request[`authorizeRequests#filterSecurityInterceptorOncePerRequest`] defaults to `false` and xref:servlet/authorization/authorize-http-requests.adoc[`authorizeHttpRequests#filterAllDispatcherTypes`] defaults to `true`.
+So, to complete migration, any defaults values can be removed.
+
+For example, if you opted in to the 6.0 default for `filter-all-dispatcher-types` or `authorizeHttpRequests#filterAllDispatcherTypes` like so:
+
+====
+.Java
+[source,java,role="primary"]
+----
+http
+    .authorizeHttpRequests((authorize) -> authorize
+        .filterAllDispatcherTypes(true)
+        // ...
+    )
+----
+
+.Kotlin
+[source,java,role="secondary"]
+----
+http {
+	authorizeHttpRequests {
+		filterAllDispatcherTypes = true
+        // ...
+	}
+}
+----
+
+.Xml
+[source,xml,role="secondary"]
+----
+<http use-authorization-manager="true" filter-all-dispatcher-types="true"/>
+----
+====
+
+then the defaults may be removed:
+
+====
+.Java
+[source,java,role="primary"]
+----
+http
+    .authorizeHttpRequests((authorize) -> authorize
+        // ...
+    )
+----
+
+.Kotlin
+[source,java,role="secondary"]
+----
+http {
+	authorizeHttpRequests {
+		// ...
+	}
+}
+----
+
+.Xml
+[source,xml,role="secondary"]
+----
+<http/>
+----
+====
+
+[NOTE]
+====
+`once-per-request` applies only when `use-authorization-manager="false"` and `filter-all-dispatcher-types` only applies when `use-authorization-manager="true"`
+====
+
 == Reactive
 
 === Use `AuthorizationManager` for Method Security