Spring Security GlobalMethodSecurityConfiguration suggests using PrePostMethodSecurityConfiguration but class is package private

Describe the bug

While trying to enable method security with prePost the usual way was to extend org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration. But in spring-security-config-6.0.0-RC2 (haven't checked earlier versions now) this class is marked as deprecated and suggests to use org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration instead. Trying this failed because the class is package private instead of public.

To Reproduce

Class with deprecation warning in GlobalMethodSecurityConfiguration with already update to EnableMethodSecurity:

import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration

@Configuration
@EnableMethodSecurity(
    prePostEnabled = true,
    securedEnabled = false,
    jsr250Enabled = false,
)
class MethodSecurityConfig : GlobalMethodSecurityConfiguration()

(This fails with IllegalArgumentException: org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity is required. So mixing the new and old approach doesn't work)

Trying the suggested fix from GlobalMethodSecurityConfiguration fails because of PrePostMethodSecurityConfiguration being package private:

import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity
import org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration

@Configuration
@EnableMethodSecurity(
    prePostEnabled = true,
    securedEnabled = false,
    jsr250Enabled = false,
)
class MethodSecurityConfig : PrePostMethodSecurityConfiguration()

Expected behavior

I would expect that I can follow the suggestions described in the deprecation message. Because I don't know the reason for the class being package private I don't suggest just making the class public. But that would be the trivial aproach.

Comment From: marcusdacoregio

Hi @mbogner,

You do not need to extend PrePostMethodSecurityConfiguration because when you add @EnableMethodSecurity the annotation already imports the configuration if prePostEnabled = true. See the MethodSecuritySelector class.

Comment From: mbogner

@marcusdacoregio Thanks for clarification. Then I misread the deprecation message. The old way was to extend it so I expected it to work similar.