Spring Security Remove FilterSecurityInterceptor from WebSecurity

FilterSecurityInterceptor will be deprecated in 5.8 in favor of the new AuthorizationFilter.

This is part of the work of removing all the places that use the FilterSecurityInterceptor and related classes.

Comment From: jzheaux

Is it possible to create an opt-in strategy in 5.8 that allows applications to start using AuthorizationManager in advance of the defaults changing in 6.0?

Comment From: marcusdacoregio

The FilterSecurityInterceptor in WebSecurity is only used to create an instance of WebInvocationPrivilegeEvaluator. If folks are using authorizeHttpRequests the configuration picks up the AuthenticationFilter#getAuthorizationManager and creates an instance of AuthorizationManagerWebInvocationPrivilegeEvaluator instead.

Do you think that we still really need a strategy for that? If so, what that would look like?

Comment From: jzheaux

I see. I missed that securityInterceptor was deprecated. As a side note, perhaps the @Deprecated annotation should be added in addition to the JavaDoc marker that's already there?