mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-31 09:12:14 +00:00
205 lines
5.0 KiB
Plaintext
205 lines
5.0 KiB
Plaintext
[[migration]]
|
|
= Migrating to 6.0
|
|
|
|
The Spring Security team has prepared the 5.8 release to simplify upgrading to Spring Security 6.0.
|
|
Use 5.8 and its preparation steps to simplify updating to 6.0
|
|
|
|
After updating to 5.8, follow this guide to perform any needed migration steps.
|
|
|
|
Also, this guide includes ways to <<revert,revert to 5.x>> behaviors and its defaults, should you run into trouble.
|
|
|
|
== Servlet
|
|
|
|
=== Use `AuthorizationManager` for Method Security
|
|
|
|
There are no further migration steps for this feature.
|
|
However, if you run into trouble with this enhancement, you can instead <<servlet-replace-methodsecurity-with-globalmethodsecurity,revert the behavior>>.
|
|
|
|
== Reactive
|
|
|
|
=== Use `AuthorizationManager` for Method Security
|
|
|
|
If you run into trouble with this enhancement, you can instead <<reactive-change-to-useauthorizationmanager-false,revert the behavior>>.
|
|
|
|
[[reactive-method-security-remove-useauthorizationmanager]]
|
|
[%interactive]
|
|
* [ ] Remove `useAuthorizationManager` usage from `@EnableReactiveMethodSecurity`
|
|
|
|
{security-api-url}org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.html[`@EnableReactiveMethodSecurity`] sets `useAuthorizationManager` to `true` by default.
|
|
Because of that, in 6.0 you can change:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableReactiveMethodSecurity(useAuthorizationManager = true)
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableReactiveMethodSecurity(useAuthorizationManager = true)
|
|
----
|
|
====
|
|
|
|
to:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableReactiveMethodSecurity
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableReactiveMethodSecurity
|
|
----
|
|
====
|
|
|
|
'''
|
|
|
|
[[revert]]
|
|
If you are running into trouble with any of the 6.0 changes, please first try to apply the following changes to get you up and running.
|
|
It's more important to stay on 6.0 and get the security improvements.
|
|
|
|
== Revert Servlet
|
|
|
|
=== Don't Use `AuthorizationManager` in Method Security
|
|
|
|
[[servlet-replace-methodsecurity-with-globalmethodsecurity]]
|
|
[%interactive]
|
|
* [ ] Replace xref:servlet/authorization/method-security.adoc#jc-enable-method-security[method security] with xref:servlet/authorization/method-security.adoc#jc-enable-global-method-security[global method security]
|
|
|
|
For applications using xref:servlet/authorization/method-security.adoc#jc-enable-method-security[pre-post annotations], make sure to turn it on to reactivate the behavior.
|
|
|
|
For example, change:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableMethodSecurity
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableMethodSecurity
|
|
----
|
|
|
|
.Xml
|
|
[source,xml,role="secondary"]
|
|
----
|
|
<method-security/>
|
|
----
|
|
====
|
|
|
|
to:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
|
----
|
|
|
|
.Xml
|
|
[source,xml,role="secondary"]
|
|
----
|
|
<global-method-security pre-post-enabled="true"/>
|
|
----
|
|
====
|
|
|
|
Other usages can simply change {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.html[`@EnableMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-method-security[`<method-security>`] to {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.html[`@EnableGlobalMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[`<global-method-security>`], like so:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
|
|
----
|
|
|
|
.Xml
|
|
[source,xml,role="secondary"]
|
|
----
|
|
<method-security secured-enabled="true" pre-post-enabled="false"/>
|
|
----
|
|
====
|
|
|
|
should change to:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false)
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false)
|
|
----
|
|
|
|
.Xml
|
|
[source,xml,role="secondary"]
|
|
----
|
|
<global-method-security secured-enabled="true" pre-post-enabled="false"/>
|
|
----
|
|
====
|
|
|
|
== Revert Reactive
|
|
|
|
=== Don't Use `AuthorizationManager` in Method Security
|
|
|
|
[[reactive-change-to-useauthorizationmanager-false]]
|
|
[%interactive]
|
|
* [ ] Change `useAuthorizationManager` to `false`
|
|
|
|
To opt-out of {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[`AuthorizationManager`] for reactive method security, add `useAuthorizationManager = false`:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableReactiveMethodSecurity
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableReactiveMethodSecurity
|
|
----
|
|
====
|
|
|
|
changes to:
|
|
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@EnableReactiveMethodSecurity(useAuthorizationManager = false)
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@EnableReactiveMethodSecurity(useAuthorizationManager = false)
|
|
----
|
|
====
|
|
|