From 804db8cd89f8a72c556cf62e2e3cc2de01c1a9fd Mon Sep 17 00:00:00 2001
From: khj68 <junthewise@gmail.com>
Date: Sun, 17 Aug 2025 17:17:23 +0900
Subject: [PATCH] Add XML configuration guidance to deprecation warnings

When using XML-based Spring Security configuration, the standard
<intercept-url> elements internally translate to the deprecated
authorizeRequests mechanism, causing warnings that cannot be resolved
by XML users.

This change adds clarification to the deprecation warnings, informing
XML users that:
1. The warning can be ignored for XML configurations
2. They should continue using standard <intercept-url> elements
3. The deprecation only affects Java/Kotlin configuration users

This resolves the confusion for XML users who receive deprecation
warnings despite using officially supported XML configuration.

Closes gh-17259

Signed-off-by: khj68 <junthewise@gmail.com>
---
 .../security/config/http/DefaultFilterChainValidator.java | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
index a7dcbbdd98..30702f403d 100644
--- a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
+++ b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
@@ -126,11 +126,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests. "
+								+ "Note: If using XML configuration, this warning can be ignored as XML <intercept-url> elements internally use the deprecated mechanism. "
+								+ "XML users should continue using standard <intercept-url> configuration.");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration. "
+								+ "Note: If using XML configuration, this warning can be ignored as XML <intercept-url> elements internally use the deprecated mechanism. "
+								+ "XML users should continue using standard <intercept-url> configuration.");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;