Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

use-authorization-manager defaults to true

Browse Source 
Closes gh-11929
This commit is contained in:
Josh Cummings
2022-10-05 19:49:53 -06:00
parent 1aa3f1414e
commit 12b9f2e196
162 changed files with 191 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
+1 -1
View File
@@ -31,7 +31,7 @@ The attributes on the `<http>` element control some of the properties on the cor
[[nsa-http-use-authorization-manager]]
* **use-authorization-manager**
Use AuthorizationManager API instead of SecurityMetadataSource
Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
[[nsa-http-authorization-manager-ref]]
* **access-decision-manager-ref**
docs/modules/ROOT/pages/servlet/appendix/namespace/method-security.adoc
+1 -1
View File
@@ -279,7 +279,7 @@ Can be used inside a bean definition to add a security interceptor to the bean a
[[nsa-intercept-methods-use-authorization-manager]]
* **use-authorization-manager**
Use AuthorizationManager API instead of AccessDecisionManager
Use AuthorizationManager API instead of AccessDecisionManager (defaults to true)
[[nsa-intercept-methods-authorization-manager-ref]]
* **authorization-manager-ref**
docs/modules/ROOT/pages/servlet/appendix/namespace/websocket.adoc
+1 -1
View File
@@ -42,7 +42,7 @@ Changing the default is useful if it is necessary to allow other origins to make
* **authorization-manager-ref** Use this `AuthorizationManager` instance; when set, `use-authorization-manager` is ignored and assumed to be `true`
[[nsa-websocket-message-broker-use-authorization-manager]]
* **use-authorization-manager** Uses legacy `SecurityMetadataSource` API instead of `AuthorizationManager` API (default false).
* **use-authorization-manager** Use `AuthorizationManager` API instead of `SecurityMetadataSource` API (defaults to true).
[[nsa-websocket-message-broker-security-context-holder-strategy-ref]]
* **security-context-holder-strategy-ref** Use this `SecurityContextHolderStrategy` (note only supported in conjunction with the `AuthorizationManager` API)
docs/modules/ROOT/pages/whats-new.adoc
+4
View File
@@ -22,3 +22,7 @@ Reorganize imports
Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean].
* https://github.com/spring-projects/spring-security/issues/11899[gh-11899] - Use `MvcRequestMatcher` by default if Spring MVC is present.
You can configure a different `RequestMatcher` by using the https://docs.spring.io/spring-security/reference/servlet/appendix/namespace/http.html#nsa-http-attributes[request-matcher attribute from <http>].
* Change use-authorization-manager="true" to default
If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
Or use `use-authorization-manager="false"`