@EnableReactiveMethodSecurity#useAuthorizationManager should be true

[anschnapp]

Describe the bug
In the documentation to migrating a reactive application to spring security 6.0.0 is an issue (or the implementation is wrong)
It describes that the annotation @EnableReactiveMethodSecurity now uses a default value of true for the attribute useAuthorizationManager.

But in the code the default is (still: like in version 5.8) set to false.

Therefore the migration step which is described would result to different (and most properly unwanted) behaviour. So, if someone has set it before to true and now removes the explicit definition then the authorization manager would not be used.

To Reproduce
See in migration documentation first step (for reactive migration):
https://docs.spring.io/spring-security/reference/migration/reactive.html

See code:

Version 6.0.0:
https://github.com/spring-projects/spring-security/blob/6.0.0/config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java#L76

Still in version 6.0.1:
https://github.com/spring-projects/spring-security/blob/6.0.1/config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java#L76

Expected behavior
Documentation should fit to the implementation (and vice versa)

[jzheaux]

Thanks, @anschnapp. I believe useAuthorizationManager should be false. We'll take care of this in the next point release.

[anschnapp]

That's great to hear!

For myself i have set this attribute explicit for now, so I don't have any issue currently myself. But as I wrote it could cause issues for people who follow the migration steps; so great that you take care of it in the next point release!