spring-projects · hqqw2h-lgtm · Apr 4, 2026
diff --git a/...ingframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java b/...ingframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java
@@ -103,11 +103,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. "
+								+ "Please only use authorizeHttpRequests. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. "
+								+ "Please use authorizeHttpRequests in the configuration. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;

diff --git a/...g/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/...g/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
@@ -130,11 +130,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. "
+								+ "Please only use authorizeHttpRequests. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. "
+								+ "Please use authorizeHttpRequests in the configuration. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;