@EnableReactiveMethodSecurity#useAuthorizationManager should be true #12506
Assignees
Labels
Milestone
Comments
anschnapp
added
status: waiting-for-triage
jzheaux
added
in: config
|
Thanks, @anschnapp. I believe |
|
That's great to hear! For myself i have set this attribute explicit for now, so I don't have any issue currently myself. But as I wrote it could cause issues for people who follow the migration steps; so great that you take care of it in the next point release! |
jzheaux
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In the documentation to migrating a reactive application to spring security 6.0.0 is an issue (or the implementation is wrong)
It describes that the annotation
@EnableReactiveMethodSecuritynow uses a default value oftruefor the attributeuseAuthorizationManager.But in the code the default is (still: like in version 5.8) set to false.
Therefore the migration step which is described would result to different (and most properly unwanted) behaviour. So, if someone has set it before to true and now removes the explicit definition then the authorization manager would not be used.
To Reproduce
See in migration documentation first step (for reactive migration):
https://docs.spring.io/spring-security/reference/migration/reactive.html
See code:
Version 6.0.0:
https://github.com/spring-projects/spring-security/blob/6.0.0/config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java#L76
Still in version 6.0.1:
https://github.com/spring-projects/spring-security/blob/6.0.1/config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java#L76
Expected behavior
Documentation should fit to the implementation (and vice versa)
The text was updated successfully, but these errors were encountered: