Spring Security Documentation is not updated about "Expression-Based Access Control" in version 5.6.2

I found that the interface has changed in the new version, but there is no corresponding documentation on the official website, which makes it difficult for me to use it.

Comment From: eleftherias

Thanks for reaching out @fox20431. Which interface are you referring to?

Comment From: ming2k

Thanks for reaching out @fox20431. Which interface are you referring to?

Thanks for your reply and sorry for bothering you with my vague issue.

This is original page.

http
    .authorizeHttpRequests(authorize -> authorize
        .antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
        ...
    )

Now, access method can only pass functional interface instead of String.

Comment From: eleftherias

Thanks for the clarification @fox20431. We will make sure to update the documentation.

In the meantime, I'll share the equivalent configuration below.

One solution is to remove the webSecurity bean and add the logic from the check method directly into the access method:

http
    .authorizeHttpRequests(authorize -> authorize
        .antMatchers("/user/**").access((a, o) -> {
            // move the logic from @webSecurity.check into this block
            // call a.get() to get the Authentication
        })
    )

Another option is to have a custom class that implements AuthorizationManager<RequestAuthorizationContext>:

class CustomAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext>{
    @Override
    public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext object) {
        // move the logic from @webSecurity.check into this block
    }
}

Comment From: ming2k

Thanks for the clarification @fox20431. We will make sure to update the documentation.

In the meantime, I'll share the equivalent configuration below.

One solution is to remove the webSecurity bean and add the logic from the check method directly into the access method:

java http .authorizeHttpRequests(authorize -> authorize .antMatchers("/user/**").access((a, o) -> { // move the logic from @webSecurity.check into this block // call a.get() to get the Authentication }) )

Another option is to have a custom class that implements AuthorizationManager<RequestAuthorizationContext>:

java class CustomAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext>{ @Override public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext object) { // move the logic from @webSecurity.check into this block } }

Great solution, thanks!