From 416890e0955e56f04d53151903ab119f05fde1d4 Mon Sep 17 00:00:00 2001 From: hanweiwei Date: Sat, 4 Apr 2026 08:32:22 +0800 Subject: [PATCH] Add XML guidance to authorizeRequests deprecation warning The deprecation warning for authorizeRequests and FilterSecurityInterceptor now also includes guidance for XML-based configuration, advising users to add use-authorization-manager=true to their http element. Closes gh-17259 Signed-off-by: hanweiwei Signed-off-by: hanweiwei --- .../web/builders/WebSecurityFilterChainValidator.java | 8 ++++++-- .../security/config/http/DefaultFilterChainValidator.java | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java index fa97043fb67..6f6a9bef789 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java @@ -103,11 +103,15 @@ private void checkAuthorizationFilters(List chains) { } if (authorizationFilter != null && filterSecurityInterceptor != null) { this.logger.warn( - "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests"); + "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. " + + "Please only use authorizeHttpRequests. " + + "For XML configuration, please add use-authorization-manager=\"true\" to your element."); } if (filterSecurityInterceptor != null) { this.logger.warn( - "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration"); + "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. " + + "Please use authorizeHttpRequests in the configuration. " + + "For XML configuration, please add use-authorization-manager=\"true\" to your element."); } authorizationFilter = null; filterSecurityInterceptor = null; diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java index fb88f14b3a6..b568d5d98ef 100644 --- a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java +++ b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java @@ -130,11 +130,15 @@ private void checkAuthorizationFilters(List chains) { } if (authorizationFilter != null && filterSecurityInterceptor != null) { this.logger.warn( - "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests"); + "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. " + + "Please only use authorizeHttpRequests. " + + "For XML configuration, please add use-authorization-manager=\"true\" to your element."); } if (filterSecurityInterceptor != null) { this.logger.warn( - "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration"); + "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. " + + "Please use authorizeHttpRequests in the configuration. " + + "For XML configuration, please add use-authorization-manager=\"true\" to your element."); } authorizationFilter = null; filterSecurityInterceptor = null;