This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.1!spring-doc.cn

Reactive

If you have already performed the initial migration steps for your Reactive application, you’re now ready to perform steps specific to Reactive applications.spring-doc.cn

Use AuthorizationManager for Method Security

In 6.0, @EnableReactiveMethodSecurity defaults useAuthorizationManager to true. So, to complete migration, @EnableReactiveMethodSecurity remove the useAuthorizationManager attribute:spring-doc.cn

@EnableReactiveMethodSecurity(useAuthorizationManager = true)
@EnableReactiveMethodSecurity(useAuthorizationManager = true)

changes to:spring-doc.cn

@EnableReactiveMethodSecurity
@EnableReactiveMethodSecurity

Propagate AuthenticationServiceExceptions

AuthenticationWebFilter propagates AuthenticationServiceExceptions to the ServerAuthenticationEntryPoint. Because AuthenticationServiceExceptions represent a server-side error instead of a client-side error, in 6.0, this changes to propagate them to the container.spring-doc.cn

So, if you opted into this behavior by setting rethrowAuthenticationServiceException too true, you can now remove it like so:spring-doc.cn

AuthenticationFailureHandler bearerFailureHandler = new ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint);
bearerFailureHandler.setRethrowAuthenticationServiceException(true);
AuthenticationFailureHandler basicFailureHandler = new ServerAuthenticationEntryPointFailureHandler(basicEntryPoint);
basicFailureHandler.setRethrowAuthenticationServiceException(true);
val bearerFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint)
bearerFailureHandler.setRethrowAuthenticationServiceException(true)
val basicFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(basicEntryPoint)
basicFailureHandler.setRethrowAuthenticationServiceException(true)

changes to:spring-doc.cn

AuthenticationFailureHandler bearerFailureHandler = new ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint);
AuthenticationFailureHandler basicFailureHandler = new ServerAuthenticationEntryPointFailureHandler(basicEntryPoint);
val bearerFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(bearerEntryPoint)
val basicFailureHandler: AuthenticationFailureHandler = ServerAuthenticationEntryPointFailureHandler(basicEntryPoint)

If you configured the ServerAuthenticationFailureHandler only for the purpose of updating to 6.0, you can remove it completely.spring-doc.cn