From ed774d35950a6ecfe89239f8741b11d89c0940a2 Mon Sep 17 00:00:00 2001 From: Fr05ty-hub Date: Wed, 7 Jan 2026 12:03:13 +0100 Subject: [PATCH 1/2] Replacing use of deprecated 'check' in authorization documentation check() was deprecated in Spring Security 7, but was referenced in documentation Signed-off-by: Fr05ty-hub --- docs/modules/ROOT/pages/servlet/authorization/architecture.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc index 2955a7c028..545824f0ba 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc @@ -107,7 +107,7 @@ default void verify(Supplier authentication, Object secureObject } ---- -The ``AuthorizationManager``'s `check` method is passed all the relevant information it needs in order to make an authorization decision. +The ``AuthorizationManager``'s `authorize` method is passed all the relevant information it needs in order to make an authorization decision. In particular, passing the secure `Object` enables those arguments contained in the actual secure object invocation to be inspected. For example, let's assume the secure object was a `MethodInvocation`. It would be easy to query the `MethodInvocation` for any `Customer` argument, and then implement some sort of security logic in the `AuthorizationManager` to ensure the principal is permitted to operate on that customer. From e9a92a8e9a47be50b35f9f3d9dac5c6251651d0a Mon Sep 17 00:00:00 2001 From: Fr05ty-hub Date: Wed, 7 Jan 2026 14:09:40 +0100 Subject: [PATCH 2/2] Replacing use of deprecated 'check' in authorization documentation check() was deprecated in Spring Security 7, but is referenced in documentation Signed-off-by: Fr05ty-hub --- .../ROOT/pages/servlet/authorization/method-security.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc index 28f0009e1b..da4997efdb 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc @@ -118,7 +118,7 @@ A given invocation to `MyCustomerService#readCustomer` may look something like t image::{figures}/methodsecurity.png[] 1. Spring AOP invokes its proxy method for `readCustomer`. Among the proxy's other advisors, it invokes an javadoc:org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor[] that matches <> -2. The interceptor invokes javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[`PreAuthorizeAuthorizationManager#check`] +2. The interceptor invokes javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[`PreAuthorizeAuthorizationManager#authorize`] 3. The authorization manager uses a `MethodSecurityExpressionHandler` to parse the annotation's <> and constructs a corresponding `EvaluationContext` from a `MethodSecurityExpressionRoot` containing xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[a `Supplier`] and `MethodInvocation`. 4. The interceptor uses this context to evaluate the expression; specifically, it reads xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[the `Authentication`] from the `Supplier` and checks whether it has `permission:read` in its collection of xref:servlet/authorization/architecture.adoc#authz-authorities[authorities] 5. If the evaluation passes, then Spring AOP proceeds to invoke the method.