From 88d50a531bcf489d3d4385740b3bfa0bfb1c686a Mon Sep 17 00:00:00 2001 From: Marcus Da Coregio Date: Wed, 7 Dec 2022 10:21:59 -0800 Subject: [PATCH] Add EnableWebSecurity migration steps to 5.8 guide Closes gh-12334 --- .../ROOT/pages/migration/servlet/config.adoc | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/docs/modules/ROOT/pages/migration/servlet/config.adoc b/docs/modules/ROOT/pages/migration/servlet/config.adoc index b7b58a71207..0d61382507e 100644 --- a/docs/modules/ROOT/pages/migration/servlet/config.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/config.adoc @@ -873,6 +873,50 @@ open class SecurityConfiguration { ---- ==== +== Add `@Configuration` to `@Enable*` annotations + +In 6.0, all Spring Security's `@Enable*` annotations had their `@Configuration` removed. +While convenient, it was not consistent with the rest of the Spring projects and most notably Spring Framework's `@Enable*` annotations. +Additionally, the introduction of support for `@Configuration(proxyBeanMethods=false)` in Spring Framework provides another reason to remove `@Configuration` meta-annotation from Spring Security's `@Enable*` annotations and allow users to opt into their preferred configuration mode. + +The following annotations had their `@Configuration` removed: + +- `@EnableGlobalAuthentication` +- `@EnableGlobalMethodSecurity` +- `@EnableMethodSecurity` +- `@EnableReactiveMethodSecurity` +- `@EnableWebSecurity` +- `@EnableWebFluxSecurity` + +For example, if you are using `@EnableWebSecurity`, you will need to change: + +==== +.Java +[source,java,role="primary"] +---- +@EnableWebSecurity +public class SecurityConfig { + // ... +} +---- +==== + +to: + +==== +.Java +[source,java,role="primary"] +---- +@Configuration +@EnableWebSecurity +public class SecurityConfig { + // ... +} +---- +==== + +And the same applies to every other annotation listed above. + ==== Other Scenarios If you are using `AuthenticationManagerBuilder` for something more sophisticated, you can xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[publish your own `AuthenticationManager` `@Bean`] or wire an `AuthenticationManager` instance into the `HttpSecurity` DSL with {security-api-url}org/springframework/security/config/annotation/web/builders/HttpSecurity.html#authenticationManager(org.springframework.security.authentication.AuthenticationManager)[`HttpSecurity#authenticationManager`].