[[migration]] = Migrating to 6.0 The Spring Security team has prepared the 5.8 release to simplify upgrading to Spring Security 6.0. Use 5.8 and ifdef::spring-security-version[] xref:5.8.0@migration.adoc[its preparation steps] endif::[] ifndef::spring-security-version[] its preparation steps endif::[] to simplify updating to 6.0 After updating to 5.8, follow this guide to perform any needed migration steps. Also, this guide includes ways to <> behaviors and its defaults, should you run into trouble. == Servlet [[requestcache-query-optimization]] === Optimize Querying of `RequestCache` In Spring Security 5, the default behavior is to query the xref:servlet/architecture.adoc#savedrequests[saved request] on every request. This means that in a typical setup, that in order to use the xref:servlet/architecture.adoc#requestcache[`RequestCache`] the `HttpSession` is queried on every request. In Spring Security 6, the default is that `RequestCache` will only be queried for a cached request if the HTTP parameter `continue` is defined. This allows Spring Security to avoid unnecessarily reading the `HttpSession` with the `RequestCache`. In Spring Security 5 the default is to use `HttpSessionRequestCache` which will be queried for a cached request on every request. If you are not overriding the defaults (i.e. using `NullRequestCache`), then the following configuration can be used to explicitly opt into the Spring Security 6 behavior in Spring Security 5.8: include::partial$servlet/architecture/request-cache-continue.adoc[] === Use `AuthorizationManager` for Method Security There are no further migration steps for this feature. However, if you run into trouble with this enhancement, you can instead <>. == Reactive === Use `AuthorizationManager` for Method Security If you run into trouble with this enhancement, you can instead <>. In 6.0, `@EnableReactiveMethodSecurity` defaults `useAuthorizationManager` to `true`. So, to complete migration, {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.html[`@EnableReactiveMethodSecurity`] remove the `useAuthorizationManager` attribute: ==== .Java [source,java,role="primary"] ---- @EnableReactiveMethodSecurity(useAuthorizationManager = true) ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableReactiveMethodSecurity(useAuthorizationManager = true) ---- ==== changes to: ==== .Java [source,java,role="primary"] ---- @EnableReactiveMethodSecurity ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableReactiveMethodSecurity ---- ==== ''' [[revert]] If you are running into trouble with any of the 6.0 changes, please first try to apply the following changes to get you up and running. It's more important to stay on 6.0 and get the security improvements. == Revert Servlet [[servlet-replace-methodsecurity-with-globalmethodsecurity]] === Don't Use `AuthorizationManager` in Method Security To opt out of `AuthorizationManager` for Method Security, replace xref:servlet/authorization/method-security.adoc#jc-enable-method-security[method security] with xref:servlet/authorization/method-security.adoc#jc-enable-global-method-security[global method security] For applications using xref:servlet/authorization/method-security.adoc#jc-enable-method-security[pre-post annotations], make sure to turn it on to reactivate the behavior. For example, change: ==== .Java [source,java,role="primary"] ---- @EnableMethodSecurity ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableMethodSecurity ---- .Xml [source,xml,role="secondary"] ---- ---- ==== to: ==== .Java [source,java,role="primary"] ---- @EnableGlobalMethodSecurity(prePostEnabled = true) ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableGlobalMethodSecurity(prePostEnabled = true) ---- .Xml [source,xml,role="secondary"] ---- ---- ==== Other usages can simply change {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.html[`@EnableMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-method-security[``] to {security-api-url}org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.html[`@EnableGlobalMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[``], like so: ==== .Java [source,java,role="primary"] ---- @EnableMethodSecurity(securedEnabled = true, prePostEnabled = false) ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableMethodSecurity(securedEnabled = true, prePostEnabled = false) ---- .Xml [source,xml,role="secondary"] ---- ---- ==== should change to: ==== .Java [source,java,role="primary"] ---- @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false) ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false) ---- .Xml [source,xml,role="secondary"] ---- ---- ==== == Revert Reactive [[reactive-change-to-useauthorizationmanager-false]] === Don't Use `AuthorizationManager` in Method Security To opt-out of {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[`AuthorizationManager`] for reactive method security, add `useAuthorizationManager = false`: ==== .Java [source,java,role="primary"] ---- @EnableReactiveMethodSecurity ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableReactiveMethodSecurity ---- ==== changes to: ==== .Java [source,java,role="primary"] ---- @EnableReactiveMethodSecurity(useAuthorizationManager = false) ---- .Kotlin [source,kotlin,role="secondary"] ---- @EnableReactiveMethodSecurity(useAuthorizationManager = false) ---- ====