This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.5!spring-doc.cn

Authorization Changes

The following sections relate to how to adapt to changes in the authorization support.spring-doc.cn

Method Security

Compile With -parameters

Spring Framework 6.1 removes LocalVariableTableParameterNameDiscoverer. This affects how @PreAuthorize and other method security annotations will process parameter names. If you are using method security annotations with parameter names, for example:spring-doc.cn

Method security annotation using id parameter name
@PreAuthorize("@authz.checkPermission(#id, authentication)")
public void doSomething(Long id) {
    // ...
}

You must compile with -parameters to ensure that the parameter names are available at runtime. For more information about this, please visit the Upgrading to Spring Framework 6.1 page.spring-doc.cn

Favor AnnotationTemplateExpressionDefaults over PrePostTemplateDefaults

In Spring Security 7, AnnotationTemplateExpressionDefaults will be included by default.spring-doc.cn

If you are customizing PrePostTemplateDefaults or simply want to see how your application responds to AnnotationTemplateExpressionDefaults, you can publish an AnnotationTemplateExpressionDefaults bean instead of a PrePostTemplateDefaults method:spring-doc.cn

@Bean
static AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
	return new AnnotationTemplateExpressionDefaults();
}
companion object {
    @Bean
    fun templateExpressionDefaults() = AnnotationTemplateExpressionDefaults()
}
<b:bean id="templateExpressionDefaults" class="org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults"/>

I Am Publishing an AuthorizationAdvisor Bean

If you are publishing an AuthorizationAdvisor bean, like AuthorizationManagerBeforeMethodInterceptor, AuthorizationManagerAfterMethodInterceptor, PreFilterAuthorizationMethodInterceptor, or PostFilterAuthorizationMethodInterceptor, you can do the same by calling setTemplateDefaults with an AnnotationTemplateExpressionDefaults instance instead:spring-doc.cn

@Bean
@Role(BeanDescription.ROLE_INFRASTRUCTURE)
static Advisor preFilter() {
	PreFilterAuthorizationMethodInterceptor interceptor = new PreFilterAuthorizationMethodInterceptor();
	interceptor.setTemplateDefaults(new AnnotationTemplateExpressionDefaults());
	return interceptor;
}
companion object {
    @Bean
    @Role(BeanDescription.ROLE_INFRASTRUCTURE)
    fun preFilter(): Advisor {
        val interceptor = PreFilterAuthorizationMethodInterceptor()
        interceptor.setTemplateDefaults(AnnotationTemplateExpressionDefaults)
        return interceptor
    }
}

Publish AuthorizationAdvisor instances instead of adding them in a Customizer<AuthorizationAdvisorProxyFactory>

While the ability to customize the AuthorizationAdvisorProxyFactory instance will remain in Spring Security 7, the ability to add advisors will be removed in favor of picking up published AuthorizationAdvisor beans.spring-doc.cn

If you are not calling AuthorizationAdvisorProxyFactory#setAdvisors or AuthorizationAdvisorProxyFactory#addAdvisor, you need do nothing.spring-doc.cn

If you are, publish the AuthorizationAdvisor bean instead and Spring Security will pick it up and apply it automatically.spring-doc.cn