-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Description
Describe the bug
In the documentation to migrating a reactive application to spring security 6.0.0 is an issue (or the implementation is wrong)
It describes that the annotation @EnableReactiveMethodSecurity
now uses a default value of true
for the attribute useAuthorizationManager
.
But in the code the default is (still: like in version 5.8) set to false.
Therefore the migration step which is described would result to different (and most properly unwanted) behaviour. So, if someone has set it before to true and now removes the explicit definition then the authorization manager would not be used.
To Reproduce
See in migration documentation first step (for reactive migration):
https://docs.spring.io/spring-security/reference/migration/reactive.html
See code:
Still in version 6.0.1:
https://github.com/spring-projects/spring-security/blob/6.0.1/config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java#L76
Expected behavior
Documentation should fit to the implementation (and vice versa)