|
| 1 | +[[migration]] |
| 2 | += Migrating to 6.0 |
| 3 | + |
| 4 | +The Spring Security team has prepared the 5.8 release to simplify upgrading to Spring Security 6.0. |
| 5 | +Use 5.8 and the steps below to minimize changes when updating to 6.0. |
| 6 | + |
| 7 | +== Servlet |
| 8 | + |
| 9 | +=== Change `@EnableGlobalMethodSecurity` to `@EnableMethodSecurity` |
| 10 | + |
| 11 | +xref:servlet/authorization/method-security.adoc[Method Security] has been xref:servlet/authorization/method-security.adoc#jc-enable-method-security[simplified] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP. |
| 12 | + |
| 13 | +The public API difference between these two annotations is that {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.html[`@EnableMethodSecurity`] defaults `prePostEnabled` to `true`, while {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.html[`@EnableGlobalMethodSecurity`] defaults it to `false`. |
| 14 | +Also, `@EnableMethodSecurity` internally uses `AuthorizationManager` while `@EnableGlobalMethodSecurity` does not. |
| 15 | + |
| 16 | +This means that the following two listings are functionally equivalent: |
| 17 | + |
| 18 | +==== |
| 19 | +.Java |
| 20 | +[source,java,role="primary"] |
| 21 | +---- |
| 22 | +@EnableGlobalMethodSecurity(prePostEnabled = true) |
| 23 | +---- |
| 24 | +
|
| 25 | +.Kotlin |
| 26 | +[source,kotlin,role="secondary"] |
| 27 | +---- |
| 28 | +@EnableGlobalMethodSecurity(prePostEnabled = true) |
| 29 | +---- |
| 30 | +==== |
| 31 | + |
| 32 | +changes to: |
| 33 | + |
| 34 | +==== |
| 35 | +.Java |
| 36 | +[source,java,role="primary"] |
| 37 | +---- |
| 38 | +@EnableMethodSecurity |
| 39 | +---- |
| 40 | +
|
| 41 | +.Kotlin |
| 42 | +[source,kotlin,role="secondary"] |
| 43 | +---- |
| 44 | +@EnableMethodSecurity |
| 45 | +---- |
| 46 | +==== |
| 47 | + |
| 48 | +For applications not using `prePostEnabled`, make sure to turn it off to avoid activating unwanted behavior. |
| 49 | + |
| 50 | +For example, a listing like: |
| 51 | + |
| 52 | +==== |
| 53 | +.Java |
| 54 | +[source,java,role="primary"] |
| 55 | +---- |
| 56 | +@EnableGlobalMethodSecurity(securedEnabled = true) |
| 57 | +---- |
| 58 | +
|
| 59 | +.Kotlin |
| 60 | +[source,kotlin,role="secondary"] |
| 61 | +---- |
| 62 | +@EnableGlobalMethodSecurity(securedEnabled = true) |
| 63 | +---- |
| 64 | +==== |
| 65 | + |
| 66 | +should change to: |
| 67 | + |
| 68 | +==== |
| 69 | +.Java |
| 70 | +[source,java,role="primary"] |
| 71 | +---- |
| 72 | +@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false) |
| 73 | +---- |
| 74 | +
|
| 75 | +.Kotlin |
| 76 | +[source,kotlin,role="secondary"] |
| 77 | +---- |
| 78 | +@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false) |
| 79 | +---- |
| 80 | +==== |
| 81 | + |
| 82 | +Additionally, note that `@EnableMethodSecurity` activates stricter enforcement of Spring Security's non-repeatable or otherwise incompatible annotations. |
| 83 | +If after moving to `@EnableMethodSecurity` you see ``AnnotationConfigurationException``s in your logs, follow the instructions in the exception message to clean up your application's method security annotation usage. |
| 84 | + |
| 85 | +==== Publish your custom `PermissionEvaluator` as a `MethodSecurityExpressionHandler` |
| 86 | + |
| 87 | +`@EnableMethodSecurity` does not pick up a `PermissionEvaluator` bean. |
| 88 | +Instead, it picks up the more generic `MethodSecurityExpressionHandler` to simplify the API. |
| 89 | + |
| 90 | +If you have a custom {security-api-url}org/springframework/security/access/PermissionEvaluator.html[`PermissionEvaluator`] `@Bean`, please change it from: |
| 91 | + |
| 92 | +==== |
| 93 | +.Java |
| 94 | +[source,java,role="primary"] |
| 95 | +---- |
| 96 | +@Bean |
| 97 | +PermissionEvaluator permissionEvaluator() { |
| 98 | + // ... your evaluator |
| 99 | +} |
| 100 | +---- |
| 101 | +
|
| 102 | +.Kotlin |
| 103 | +[source,kotlin,role="secondary"] |
| 104 | +---- |
| 105 | +@Bean |
| 106 | +fun permissionEvaluator(): PermissionEvaluator { |
| 107 | + // ... your evaluator |
| 108 | +} |
| 109 | +---- |
| 110 | +==== |
| 111 | + |
| 112 | +to: |
| 113 | + |
| 114 | +==== |
| 115 | +.Java |
| 116 | +[source,java,role="primary"] |
| 117 | +---- |
| 118 | +@Bean |
| 119 | +MethodSecurityExpressionHandler expressionHandler() { |
| 120 | + var expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
| 121 | + expressionHandler.setPermissionEvaluator(myPermissionEvaluator); |
| 122 | + return expressionHandler; |
| 123 | +} |
| 124 | +---- |
| 125 | +
|
| 126 | +.Kotlin |
| 127 | +[source,kotlin,role="secondary"] |
| 128 | +---- |
| 129 | +@Bean |
| 130 | +fun expressionHandler(): MethodSecurityExpressionHandler { |
| 131 | + val expressionHandler = DefaultMethodSecurityExpressionHandler |
| 132 | + expressionHandler.setPermissionEvaluator(myPermissionEvaluator) |
| 133 | + return expressionHandler |
| 134 | +} |
| 135 | +---- |
| 136 | +==== |
| 137 | + |
| 138 | +== Reactive |
| 139 | + |
| 140 | +=== Activate `AuthorizationManager` in `@EnableReactiveMethodSecurity` |
| 141 | + |
| 142 | +xref:reactive/authorization/method.adoc[Method Security] has been xref:reactive/authorization/method.adoc#jc-enable-reactive-method-security-authorization-manager[improved] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP. |
| 143 | + |
| 144 | +In Spring Security 5.8, `useAuthorizationManager` was added to {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.html[`@EnableReactiveMethodSecurity`] to allow applications to opt-in to ``AuthorizationManager``'s features. |
| 145 | + |
| 146 | +To opt in, change `useAuthorizationManager` to `true` like so: |
| 147 | + |
| 148 | +==== |
| 149 | +.Java |
| 150 | +[source,java,role="primary"] |
| 151 | +---- |
| 152 | +@EnableReactiveMethodSecurity |
| 153 | +---- |
| 154 | +
|
| 155 | +.Kotlin |
| 156 | +[source,kotlin,role="secondary"] |
| 157 | +---- |
| 158 | +@EnableReactiveMethodSecurity |
| 159 | +---- |
| 160 | +==== |
| 161 | + |
| 162 | +changes to: |
| 163 | + |
| 164 | +==== |
| 165 | +.Java |
| 166 | +[source,java,role="primary"] |
| 167 | +---- |
| 168 | +@EnableReactiveMethodSecurity(useAuthorizationManager = true) |
| 169 | +---- |
| 170 | +
|
| 171 | +.Kotlin |
| 172 | +[source,kotlin,role="secondary"] |
| 173 | +---- |
| 174 | +@EnableReactiveMethodSecurity(useAuthorizationManager = true) |
| 175 | +---- |
| 176 | +==== |
| 177 | + |
| 178 | +Note that in 6.0, `useAuthorizationManager` defaults to `true`. |
| 179 | + |
| 180 | +Additionally, note that `useAuthorizationManager` activates stricter enforcement of Spring Security's non-repeatable or otherwise incompatible annotations. |
| 181 | +If after turning on `useAuthorizationManager` you see ``AnnotationConfigurationException``s in your logs, follow the instructions in the exception message to clean up your application's method security annotation usage. |
| 182 | + |
| 183 | + |
0 commit comments