Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish Method Security Migration Steps 

- Revert steps removed since implicitly included in preparation guide

Issue gh-11337
This commit is contained in:
Josh Cummings 2022-10-28 09:51:02 -06:00
parent e727ef3e86
commit 56482e25de
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 0 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
docs/modules/ROOT/pages/migration.adoc
View File

@ -47,7 +47,6 @@ include::partial$servlet/architecture/request-cache-continue.adoc[]
=== Use `AuthorizationManager` for Method Security === Use `AuthorizationManager` for Method Security
There are no further migration steps for this feature. There are no further migration steps for this feature.
However, if you run into trouble with this enhancement, you can instead <<servlet-replace-methodsecurity-with-globalmethodsecurity,revert the behavior>>.
=== Use `AuthorizationManager` for Message Security === Use `AuthorizationManager` for Message Security
@ -80,8 +79,6 @@ There are no further migrations steps for Java or Kotlin for this feature.
=== Use `AuthorizationManager` for Method Security === Use `AuthorizationManager` for Method Security
If you run into trouble with this enhancement, you can instead <<reactive-change-to-useauthorizationmanager-false,revert the behavior>>.
In 6.0, `@EnableReactiveMethodSecurity` defaults `useAuthorizationManager` to `true`. In 6.0, `@EnableReactiveMethodSecurity` defaults `useAuthorizationManager` to `true`.
So, to complete migration, {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.html[`@EnableReactiveMethodSecurity`] remove the `useAuthorizationManager` attribute: So, to complete migration, {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.html[`@EnableReactiveMethodSecurity`] remove the `useAuthorizationManager` attribute:
@ -123,135 +120,4 @@ It's more important to stay on 6.0 and get the security improvements.
== Revert Servlet == Revert Servlet
[[servlet-replace-methodsecurity-with-globalmethodsecurity]]
=== Don't Use `AuthorizationManager` in Method Security
To opt out of `AuthorizationManager` for Method Security, replace xref:servlet/authorization/method-security.adoc#jc-enable-method-security[method security] with xref:servlet/authorization/method-security.adoc#jc-enable-global-method-security[global method security]
For applications using xref:servlet/authorization/method-security.adoc#jc-enable-method-security[pre-post annotations], make sure to turn it on to reactivate the behavior.
For example, change:
====
.Java
[source,java,role="primary"]
----
@EnableMethodSecurity
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableMethodSecurity
----
.Xml
[source,xml,role="secondary"]
----
<method-security/>
----
====
to:
====
.Java
[source,java,role="primary"]
----
@EnableGlobalMethodSecurity(prePostEnabled = true)
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableGlobalMethodSecurity(prePostEnabled = true)
----
.Xml
[source,xml,role="secondary"]
----
<global-method-security pre-post-enabled="true"/>
----
====
Other usages can simply change {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.html[`@EnableMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-method-security[`<method-security>`] to {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.html[`@EnableGlobalMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[`<global-method-security>`], like so:
====
.Java
[source,java,role="primary"]
----
@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
----
.Xml
[source,xml,role="secondary"]
----
<method-security secured-enabled="true" pre-post-enabled="false"/>
----
====
should change to:
====
.Java
[source,java,role="primary"]
----
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false)
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false)
----
.Xml
[source,xml,role="secondary"]
----
<global-method-security secured-enabled="true" pre-post-enabled="false"/>
----
====
== Revert Reactive == Revert Reactive
[[reactive-change-to-useauthorizationmanager-false]]
=== Don't Use `AuthorizationManager` in Method Security
To opt-out of {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[`AuthorizationManager`] for reactive method security, add `useAuthorizationManager = false`:
====
.Java
[source,java,role="primary"]
----
@EnableReactiveMethodSecurity
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableReactiveMethodSecurity
----
====
changes to:
====
.Java
[source,java,role="primary"]
----
@EnableReactiveMethodSecurity(useAuthorizationManager = false)
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableReactiveMethodSecurity(useAuthorizationManager = false)
----
====