Merge remote-tracking branch 'origin/5.8.x'
This commit is contained in:
Josh Cummings
commit
7adc000c6b
|
|
@ -2,6 +2,7 @@
|
|||
* xref:prerequisites.adoc[Prerequisites]
|
||||
* xref:community.adoc[Community]
|
||||
* xref:whats-new.adoc[What's New]
|
||||
* xref:migration.adoc[Migrating for 6.0]
|
||||
* xref:getting-spring-security.adoc[Getting Spring Security]
|
||||
* xref:features/index.adoc[Features]
|
||||
** xref:features/authentication/index.adoc[Authentication]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,183 @@
|
|||
[[migration]]
|
||||
= Migrating to 6.0
|
||||
|
||||
The Spring Security team has prepared the 5.8 release to simplify upgrading to Spring Security 6.0.
|
||||
Use 5.8 and the steps below to minimize changes when updating to 6.0.
|
||||
|
||||
== Servlet
|
||||
|
||||
=== Change `@EnableGlobalMethodSecurity` to `@EnableMethodSecurity`
|
||||
|
||||
xref:servlet/authorization/method-security.adoc[Method Security] has been xref:servlet/authorization/method-security.adoc#jc-enable-method-security[simplified] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP.
|
||||
|
||||
The public API difference between these two annotations is that {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.html[`@EnableMethodSecurity`] defaults `prePostEnabled` to `true`, while {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.html[`@EnableGlobalMethodSecurity`] defaults it to `false`.
|
||||
Also, `@EnableMethodSecurity` internally uses `AuthorizationManager` while `@EnableGlobalMethodSecurity` does not.
|
||||
|
||||
This means that the following two listings are functionally equivalent:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
||||
----
|
||||
====
|
||||
|
||||
changes to:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableMethodSecurity
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableMethodSecurity
|
||||
----
|
||||
====
|
||||
|
||||
For applications not using `prePostEnabled`, make sure to turn it off to avoid activating unwanted behavior.
|
||||
|
||||
For example, a listing like:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableGlobalMethodSecurity(securedEnabled = true)
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableGlobalMethodSecurity(securedEnabled = true)
|
||||
----
|
||||
====
|
||||
|
||||
should change to:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
|
||||
----
|
||||
====
|
||||
|
||||
Additionally, note that `@EnableMethodSecurity` activates stricter enforcement of Spring Security's non-repeatable or otherwise incompatible annotations.
|
||||
If after moving to `@EnableMethodSecurity` you see ``AnnotationConfigurationException``s in your logs, follow the instructions in the exception message to clean up your application's method security annotation usage.
|
||||
|
||||
==== Publish your custom `PermissionEvaluator` as a `MethodSecurityExpressionHandler`
|
||||
|
||||
`@EnableMethodSecurity` does not pick up a `PermissionEvaluator` bean.
|
||||
Instead, it picks up the more generic `MethodSecurityExpressionHandler` to simplify the API.
|
||||
|
||||
If you have a custom {security-api-url}org/springframework/security/access/PermissionEvaluator.html[`PermissionEvaluator`] `@Bean`, please change it from:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
PermissionEvaluator permissionEvaluator() {
|
||||
// ... your evaluator
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun permissionEvaluator(): PermissionEvaluator {
|
||||
// ... your evaluator
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
to:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
MethodSecurityExpressionHandler expressionHandler() {
|
||||
var expressionHandler = new DefaultMethodSecurityExpressionHandler();
|
||||
expressionHandler.setPermissionEvaluator(myPermissionEvaluator);
|
||||
return expressionHandler;
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun expressionHandler(): MethodSecurityExpressionHandler {
|
||||
val expressionHandler = DefaultMethodSecurityExpressionHandler
|
||||
expressionHandler.setPermissionEvaluator(myPermissionEvaluator)
|
||||
return expressionHandler
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
== Reactive
|
||||
|
||||
=== Activate `AuthorizationManager` in `@EnableReactiveMethodSecurity`
|
||||
|
||||
xref:reactive/authorization/method.adoc[Method Security] has been xref:reactive/authorization/method.adoc#jc-enable-reactive-method-security-authorization-manager[improved] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP.
|
||||
|
||||
In Spring Security 5.8, `useAuthorizationManager` was added to {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.html[`@EnableReactiveMethodSecurity`] to allow applications to opt-in to ``AuthorizationManager``'s features.
|
||||
|
||||
To opt in, change `useAuthorizationManager` to `true` like so:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableReactiveMethodSecurity
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableReactiveMethodSecurity
|
||||
----
|
||||
====
|
||||
|
||||
changes to:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableReactiveMethodSecurity(useAuthorizationManager = true)
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableReactiveMethodSecurity(useAuthorizationManager = true)
|
||||
----
|
||||
====
|
||||
|
||||
Note that in 6.0, `useAuthorizationManager` defaults to `true`.
|
||||
|
||||
Additionally, note that `useAuthorizationManager` activates stricter enforcement of Spring Security's non-repeatable or otherwise incompatible annotations.
|
||||
If after turning on `useAuthorizationManager` you see ``AnnotationConfigurationException``s in your logs, follow the instructions in the exception message to clean up your application's method security annotation usage.
|
||||
|
||||
|
||||
|
|
@ -7,6 +7,7 @@ It provides support for JSR-250 annotation security as well as the framework's o
|
|||
From 3.0, you can also make use of new xref:servlet/authorization/expression-based.adoc#el-access[expression-based annotations].
|
||||
You can apply security to a single bean, by using the `intercept-methods` element to decorate the bean declaration, or you can secure multiple beans across the entire service layer by using AspectJ style pointcuts.
|
||||
|
||||
[[jc-enable-method-security]]
|
||||
== EnableMethodSecurity
|
||||
|
||||
In Spring Security 5.6, we can enable annotation-based security using the `@EnableMethodSecurity` annotation on any `@Configuration` instance.
|
||||
|
|
|
|||
Loading…
Reference in New Issue