Skip to content

@EnableReactiveMethodSecurity#useAuthorizationManager should be true #12506

@anschnapp

Description

@anschnapp

Describe the bug
In the documentation to migrating a reactive application to spring security 6.0.0 is an issue (or the implementation is wrong)
It describes that the annotation @EnableReactiveMethodSecurity now uses a default value of true for the attribute useAuthorizationManager.

But in the code the default is (still: like in version 5.8) set to false.

Therefore the migration step which is described would result to different (and most properly unwanted) behaviour. So, if someone has set it before to true and now removes the explicit definition then the authorization manager would not be used.

To Reproduce
See in migration documentation first step (for reactive migration):
https://docs.spring.io/spring-security/reference/migration/reactive.html

See code:

Version 6.0.0:
https://github.com/spring-projects/spring-security/blob/6.0.0/config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java#L76

Still in version 6.0.1:
https://github.com/spring-projects/spring-security/blob/6.0.1/config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java#L76

Expected behavior
Documentation should fit to the implementation (and vice versa)

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configtype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions