GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-2782: Additional Updates to Migration Guide from 3.x to 4.x

pull/180/head
Rob Winch 11 years ago
parent
bed20db905
commit
9b4cbff58c
1 changed files with 233 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 236
      docs/manual/src/docs/asciidoc/_includes/migrate-3-to-4.adoc

236
docs/manual/src/docs/asciidoc/_includes/migrate-3-to-4.adoc
Unescape View File

@ -8,7 +8,7 @@ As a major release version, the Spring Security team took the opportunity to mak @@ -8,7 +8,7 @@ As a major release version, the Spring Security team took the opportunity to mak
* Minimizing https://www.owasp.org/index.php/Information_Leakage[Information Leakage]
* Removing deprecated APIs
A complete listing of non-passive changes between 3.x and 4.x can be found in https://jira.spring.io/issues/?jql=project%20%3D%20SEC%20AND%20status%20in%20(Resolved%2C%20Closed)%20AND%20fixVersion%20in%20(4.0.0.M1%2C%204.0.0.M2%2C%204.0.0.RC1%2C%204.0.0.RC2)%20AND%20labels%20%3D%20passivity[JIRA]
A complete listing of non-passive changes between 3.x and 4.x can be found in https://jira.spring.io/issues/?jql=project%20%3D%20SEC%20AND%20status%20in%20(Resolved%2C%20Closed)%20AND%20fixVersion%20in%20(4.0.0%2C%204.0.0.M1%2C%204.0.0.M2%2C%204.0.0.RC1%2C%204.0.0.RC2)%20AND%20labels%20%3D%20passivity[JIRA]
This guide is intended to help users migrate from Spring Security 3.x to Spring Security 4.x.
NOTE: It is expected that users will be able to easily perform a successful migration within an hour.
@ -17,9 +17,31 @@ NOTE: It is expected that users will be able to easily perform a successful migr @@ -17,9 +17,31 @@ NOTE: It is expected that users will be able to easily perform a successful migr
== Migrate XML Namespace Defaults
We updated the default values for many of the Spring Security XML Namespace Elements.
If you do not use XML based configuration, you may safely skip this section and proceed to <<m3to4-filter-urls>>
You can find a detailed list of changes and how to address them below.
NOTE: If you do not use XML based configuration, you may safely skip this section and proceed to <<m3to4-filter-urls>>
[[m3to4-xmlnamespace-related]]
=== Related Links
For thoroughness we have include the related links in the table below.
|====
| JIRA | Commits
| https://jira.spring.io/browse/SEC-2783[SEC-2783]
| https://github.com/spring-projects/spring-security/commit/c67ff42b8abe124b7956896c78e9aac896fd79d9[c67ff42]
| https://jira.spring.io/browse/SEC-2347[SEC-2347]
| https://github.com/spring-projects/spring-security/commit/4392205f63e49b9675b06e584f571a48b017d0b6[4392205]
| https://jira.spring.io/browse/SEC-2348[SEC-2348]
| https://github.com/spring-projects/spring-security/commit/eedbf442359f9a99e367f2fdef61deea1cef46c9[eedbf44]
| https://jira.spring.io/browse/SEC-2873[SEC-2873]
| https://github.com/spring-projects/spring-security/commit/5f57e5b0c3726466db4f5d0521ac26423f0d9cd4[5f57e5b]
|====
[[m3to4-xmlnamespace-http]]
=== Migrate <http>
@ -558,4 +580,212 @@ http @@ -558,4 +580,212 @@ http
[[m3to4-deprecations]]
== Deprecations
TBD
=== spring-security-acl
==== AclImpl
AclImpl had a deprecated constructor removed. Specifically, the constructor that defaults the `PermissionGrantingStrategy` was removed:
[source,java]
----
@Deprecated
public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy,
AuditLogger auditLogger, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting, Sid owner) {
...
}
----
This means that an AclImpl was being created with this constructor:
[source,java]
----
new AclImpl(objectIdentity, id, aclAuthorizationStrategy, auditLogger,
parentAcl, loadedSids, entriesInheriting, owner);
----
it needs to be updated to pass in the `PermissionGrantingStrategy` instead of the `AuditLogger`
[source,java]
----
PermissionGrantingStrategy permissionGrantingStrategy =
new DefaultPermissionGrantingStrategy(auditLogger);
new AclImpl(objectIdentity, id, aclAuthorizationStrategy, permissionGrantingStrategy,
parentAcl, loadedSids, entriesInheriting, owner);
----
==== EhCacheBasedAclCache
`EhCacheBasedAclCache` had a deprecated constructor removed. Specifically, the constructor that defaults the `PermissionGrantingStrategy` was removed:
[source,java]
----
@Deprecated
public EhCacheBasedAclCache(Ehcache cache) {
...
}
----
This means that an `EhCacheBasedAclCache` was being created with this constructor:
[source,java]
----
new EhCacheBasedAclCache(ehCache);
----
it needs to be updated to pass in the `PermissionGrantingStrategy` too:
[source,java]
----
PermissionGrantingStrategy permissionGrantingStrategy =
new DefaultPermissionGrantingStrategy(auditLogger);
new EhCacheBasedAclCache(ehCache, permissionGrantingStrategy);
----
=== spring-security-cas
==== ServiceAuthenticationDetailsSource
`ServiceAuthenticationDetailsSource` removed the deprecated construtors that defaulted the `ServiceProperties`.
[source,java]
----
@Deprecated
public ServiceAuthenticationDetailsSource() {
...
}
@Deprecated
public ServiceAuthenticationDetailsSource(final String artifactParameterName) {
...
}
----
This means that an `ServiceAuthenticationDetailsSource` was being created with these constructors:
[source,java]
----
new ServiceAuthenticationDetailsSource();
new ServiceAuthenticationDetailsSource(artifactId);
----
it needs to be updated to pass in the `ServiceProperties` as shown below:
[source,java]
----
new ServiceAuthenticationDetailsSource(serviceProperties);
new ServiceAuthenticationDetailsSource(serviceProperties, artifactId);
----
=== spring-security-config
==== filter-invocation-definition-source
The XML element `filter-invocation-definition-source` was removed in favor of <<nsa-filter-security-metadata-source,filter-security-metadata-source>>.
This means if you have something like this:
[source,xml]
----
<filter-invocation-definition-source ...>
...
</filter-invocation-definition-source>
----
it needs to be replaced with:
[source,xml]
----
<filter-security-metadata-source ...>
...
</filter-security-metadata-source>
----
==== http@access-denied-page
The XML attribute `http@access-denied-page` was removed in favor of <<nsa-access-denied-handler-error-page,access-denied-handler@error-page>>.
This means if you have something like this:
[source,xml]
----
<http ... access-denied-page="/denied">
...
</http>
----
it needs to be replaced with:
[source,xml]
----
<http ...>
<access-denied-handler error-page="/denied"/>
</http>
----
==== http@path-type
The XML attribute `http@path-type` was removed in favor of <<nsa-http-request-matcher,http@request-matcher>>.
This means if you have something like this:
[source,xml]
----
<http ... path-type="regex">
...
</http>
----
it needs to be replaced with:
[source,xml]
----
<http ... request-matcher="regex">
...
</http>
----
==== filter-chain-map@path-type
The XML attribute `filter-chain-map@path-type` was removed in favor of <<nsa-filter-chain-map-request-matcher,filter-chain-map@request-matcher>>.
This means if you have something like this:
[source,xml]
----
<filter-chain-map ... path-type="regex">
...
</filter-chain-map>
----
it needs to be replaced with:
[source,xml]
----
<filter-chain-map ... request-matcher="regex">
...
</filter-chain-map>
----
==== filter-security-metadata-source@path-type
The XML attribute `filter-security-metadata-source@path-type` was removed in favor of <<nsa-filter-security-metadata-source-request-matcher,filter-security-metadata-source@request-matcher>>.
This means if you have something like this:
[source,xml]
----
<filter-security-metadata-source ... path-type="regex">
...
</filter-security-metadata-source>
----
it needs to be replaced with:
[source,xml]
----
<filter-security-metadata-source ... request-matcher="regex">
...
</filter-security-metadata-source>
----

Write Preview
Loading…
Cancel
Save