From d076ddb26ce7e8a0cc75f036215d711dc0430b5f Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Wed, 26 Oct 2022 12:52:37 -0600 Subject: [PATCH] Polish Method Security Migration Steps --- docs/modules/ROOT/pages/migration.adoc | 66 +++++++++++++++++++++----- 1 file changed, 55 insertions(+), 11 deletions(-) diff --git a/docs/modules/ROOT/pages/migration.adoc b/docs/modules/ROOT/pages/migration.adoc index 33dfcc33fb..939b1aad45 100644 --- a/docs/modules/ROOT/pages/migration.adoc +++ b/docs/modules/ROOT/pages/migration.adoc @@ -6,13 +6,24 @@ Use 5.8 and its preparation steps to simplify updating to 6.0 After updating to 5.8, follow this guide to perform any needed migration steps. -Also, this guide includes ways to revert to 5.x behaviors and its defaults, should you run into trouble. +Also, this guide includes ways to <> behaviors and its defaults, should you run into trouble. -== Updating +== Servlet -=== Reactive +=== Use `AuthorizationManager` for Method Security -==== Remove `useAuthorizationManager` usage from `@EnableReactiveMethodSecurity` +There are no further migration steps for this feature. +However, if you run into trouble with this enhancement, you can instead <>. + +== Reactive + +=== Use `AuthorizationManager` for Method Security + +If you run into trouble with this enhancement, you can instead <>. + +[[reactive-method-security-remove-useauthorizationmanager]] +[%interactive] +* [ ] Remove `useAuthorizationManager` usage from `@EnableReactiveMethodSecurity` {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.html[`@EnableReactiveMethodSecurity`] sets `useAuthorizationManager` to `true` by default. Because of that, in 6.0 you can change: @@ -47,16 +58,21 @@ to: ---- ==== -== Reverting +''' +[[revert]] If you are running into trouble with any of the 6.0 changes, please first try to apply the following changes to get you up and running. It's more important to stay on 6.0 and get the security improvements. -=== Servlet +== Revert Servlet + +=== Don't Use `AuthorizationManager` in Method Security -==== Change `@EnableMethodSecurity` to `@EnableGlobalMethodSecurity` +[[servlet-replace-methodsecurity-with-globalmethodsecurity]] +[%interactive] +* [ ] Replace xref:servlet/authorization/method-security.adoc#jc-enable-method-security[method security] with xref:servlet/authorization/method-security.adoc#jc-enable-global-method-security[global method security] -For applications using `prePostEnabled`, make sure to turn it on to reactivate the behavior. +For applications using xref:servlet/authorization/method-security.adoc#jc-enable-method-security[pre-post annotations], make sure to turn it on to reactivate the behavior. For example, change: @@ -72,6 +88,12 @@ For example, change: ---- @EnableMethodSecurity ---- + +.Xml +[source,xml,role="secondary"] +---- + +---- ==== to: @@ -88,9 +110,15 @@ to: ---- @EnableGlobalMethodSecurity(prePostEnabled = true) ---- + +.Xml +[source,xml,role="secondary"] +---- + +---- ==== -Other usage can simply change {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.html[`@EnableMethodSecurity`] to {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.html[`@EnableGlobalMethodSecurity`], like so: +Other usages can simply change {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.html[`@EnableMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-method-security[``] to {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.html[`@EnableGlobalMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[``], like so: ==== .Java @@ -104,6 +132,12 @@ Other usage can simply change {security-api-url}org/springframework/security/con ---- @EnableMethodSecurity(securedEnabled = true, prePostEnabled = false) ---- + +.Xml +[source,xml,role="secondary"] +---- + +---- ==== should change to: @@ -120,11 +154,21 @@ should change to: ---- @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false) ---- + +.Xml +[source,xml,role="secondary"] +---- + +---- ==== -=== Reactive +== Revert Reactive + +=== Don't Use `AuthorizationManager` in Method Security -==== Deactivate `AuthorizationManager` in `@EnableReactiveMethodSecurity` +[[reactive-change-to-useauthorizationmanager-false]] +[%interactive] +* [ ] Change `useAuthorizationManager` to `false` To opt-out of {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[`AuthorizationManager`] for reactive method security, add `useAuthorizationManager = false`: