This is almost definitely a misconfiguration. It could be detected in DefaultFilterChainValidator.
Since Spring Security can "work" with both of these filters, let's simply warn in the logs. Along those lines, there should be two warn messages:
- If they are using both filters, warn that this is probably a misconfiguration and they should migrate as soon as possible to
authorizeHttpRequests. - If they are only using
FilterSecurityInterceptor, warn that it is due for removal and they should migrate as soon as possible toauthorizeHttpRequests
Comment From: franticticktick
Hi @jzheaux, could you assign this task to me? It seems to be related to this one. Currently the DefaultFilterChainValidator only works with xml config. In addition, it contains several bugs:
RequestMatcher matcher = ((DefaultSecurityFilterChain) chains.next()).getRequestMatcher();
Such forced castes can lead to errors if a custom filterChain is used. Therefore, we must first consider 15982.
Comment From: evgeniycheban
Hi, @jzheaux I'd want to work on this, can you assign it to me?