Add XML configuration guidance to deprecation warnings

khj68 · khj68 · commit 804db8cd89f8 · 2025-08-17T17:17:23.000+09:00
When using XML-based Spring Security configuration, the standard <intercept-url> elements internally translate to the deprecated authorizeRequests mechanism, causing warnings that cannot be resolved by XML users. This change adds clarification to the deprecation warnings, informing XML users that: 1. The warning can be ignored for XML configurations 2. They should continue using standard <intercept-url> elements 3. The deprecation only affects Java/Kotlin configuration users This resolves the confusion for XML users who receive deprecation warnings despite using officially supported XML configuration. Closes gh-17259 Signed-off-by: khj68 <junthewise@gmail.com>
diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
@@ -126,11 +126,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests. "
+								+ "Note: If using XML configuration, this warning can be ignored as XML <intercept-url> elements internally use the deprecated mechanism. "
+								+ "XML users should continue using standard <intercept-url> configuration.");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration. "
+								+ "Note: If using XML configuration, this warning can be ignored as XML <intercept-url> elements internally use the deprecated mechanism. "
+								+ "XML users should continue using standard <intercept-url> configuration.");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;

Original file line number	Diff line number	Diff line change
`@@ -126,11 +126,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {`
`126`	`126`	`}`
`127`	`127`	`if (authorizationFilter != null && filterSecurityInterceptor != null) {`
`128`	`128`	`this.logger.warn(`
`129`		`- "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");`
	`129`	`+ "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests. "`
	`130`	`+ + "Note: If using XML configuration, this warning can be ignored as XML <intercept-url> elements internally use the deprecated mechanism. "`
	`131`	`+ + "XML users should continue using standard <intercept-url> configuration.");`
`130`	`132`	`}`
`131`	`133`	`if (filterSecurityInterceptor != null) {`
`132`	`134`	`this.logger.warn(`
`133`		`- "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");`
	`135`	`+ "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration. "`
	`136`	`+ + "Note: If using XML configuration, this warning can be ignored as XML <intercept-url> elements internally use the deprecated mechanism. "`
	`137`	`+ + "XML users should continue using standard <intercept-url> configuration.");`
`134`	`138`	`}`
`135`	`139`	`authorizationFilter = null;`
`136`	`140`	`filterSecurityInterceptor = null;`