Add XML guidance to authorizeRequests deprecation warning

skyhww · skyhww · commit e7d5aa05de43 · 2026-04-05T08:53:38.000+08:00
The deprecation warning for authorizeRequests and FilterSecurityInterceptor now also includes guidance for XML-based configuration, advising users to add use-authorization-manager=true to their http element. Closes gh-17259 Signed-off-by: hanweiwei <duzielww@163.com> Made-with: Cursor Signed-off-by: hanweiwei <duzielww@163.com> Made-with: Cursor
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java
@@ -103,11 +103,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. "
+								+ "Please only use authorizeHttpRequests. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. "
+								+ "Please use authorizeHttpRequests in the configuration. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;
diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
@@ -130,11 +130,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. "
+								+ "Please only use authorizeHttpRequests. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. "
+								+ "Please use authorizeHttpRequests in the configuration. "
+								+ "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;

Original file line number	Diff line number	Diff line change
`@@ -103,11 +103,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {`
`103`	`103`	`}`
`104`	`104`	`if (authorizationFilter != null && filterSecurityInterceptor != null) {`
`105`	`105`	`this.logger.warn(`
`106`		`- "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");`
	`106`	`+ "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. "`
	`107`	`+ + "Please only use authorizeHttpRequests. "`
	`108`	`+ + "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");`
`107`	`109`	`}`
`108`	`110`	`if (filterSecurityInterceptor != null) {`
`109`	`111`	`this.logger.warn(`
`110`		`- "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");`
	`112`	`+ "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. "`
	`113`	`+ + "Please use authorizeHttpRequests in the configuration. "`
	`114`	`+ + "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");`
`111`	`115`	`}`
`112`	`116`	`authorizationFilter = null;`
`113`	`117`	`filterSecurityInterceptor = null;`
Original file line number	Diff line number	Diff line change
`@@ -130,11 +130,15 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {`
`130`	`130`	`}`
`131`	`131`	`if (authorizationFilter != null && filterSecurityInterceptor != null) {`
`132`	`132`	`this.logger.warn(`
`133`		`- "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");`
	`133`	`+ "It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. "`
	`134`	`+ + "Please only use authorizeHttpRequests. "`
	`135`	`+ + "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");`
`134`	`136`	`}`
`135`	`137`	`if (filterSecurityInterceptor != null) {`
`136`	`138`	`this.logger.warn(`
`137`		`- "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");`
	`139`	`+ "Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. "`
	`140`	`+ + "Please use authorizeHttpRequests in the configuration. "`
	`141`	`+ + "For XML configuration, please add use-authorization-manager=\"true\" to your <http> element.");`
`138`	`142`	`}`
`139`	`143`	`authorizationFilter = null;`
`140`	`144`	`filterSecurityInterceptor = null;`