From 5c88b95af57b54aca57eea7889fc42a42712565e Mon Sep 17 00:00:00 2001
From: Marcus Da Coregio <marcusdacoregio@gmail.com>
Date: Thu, 25 May 2023 09:51:28 -0300
Subject: [PATCH] Mention that authorizeHttpRequests does not support
 GrantedAuthorityDefaults

Closes gh-13227
---
 .../migration/servlet/authorization.adoc      | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/docs/modules/ROOT/pages/migration/servlet/authorization.adoc b/docs/modules/ROOT/pages/migration/servlet/authorization.adoc
index 51d6539a1c..4c596570c3 100644
--- a/docs/modules/ROOT/pages/migration/servlet/authorization.adoc
+++ b/docs/modules/ROOT/pages/migration/servlet/authorization.adoc
@@ -1545,6 +1545,53 @@ public final class AnyRequestAuthenticatedAuthorizationManagerAdapter implements
 
 Once you have implemented `AuthorizationManager`, please follow the details in the reference manual for xref:servlet/authorization/authorize-http-requests.adoc#custom-authorization-manager[adding a custom `AuthorizationManager`].
 
+[[replace-hasrole-hasauthority]]
+=== Replace `hasRole` with `hasAuthority` if using `GrantedAuthorityDefaults`
+
+Currently, the `hasRole` method inside `authorizeHttpRequests` does not support the `GrantedAuthorityDefaults` bean like the `authorizeRequests` does.
+Therefore, if you are using `GrantedAuthorityDefaults` to change the prefix of your roles, you will need to use `hasAuthority` instead of `hasRole`.
+
+For example, you will have to change from:
+
+====
+.authorizeRequests with custom role prefix
+[source,java]
+----
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http
+        .authorizeRequests((authorize) -> authorize
+            .anyRequest().hasRole("ADMIN")
+        );
+    return http.build();
+}
+
+@Bean
+public GrantedAuthorityDefaults grantedAuthorityDefaults() {
+    return new GrantedAuthorityDefaults("MYPREFIX_");
+}
+----
+====
+
+to:
+
+====
+.authorizeHttpRequests with hasAuthority and custom role prefix
+[source,java]
+----
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http
+        .authorizeHttpRequests((authorize) -> authorize
+            .anyRequest().hasAuthority("MYPREFIX_ADMIN")
+        );
+    return http.build();
+}
+----
+====
+
+This should be supported in the future, see https://github.com/spring-projects/spring-security/issues/13215[gh-13227] for more details.
+
 [[servlet-authorizationmanager-requests-opt-out]]
 === Opt-out Steps