Description
After upgrading Spring Security from version 6.4.4 to 6.5.0, our application consistently logs the following warning:
[DefaultFilterChainValidator.checkAuthorizationFilters:128] Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration
Our project is currently exclusively configured using XML-based Spring Security configuration.
What We've Tried:
-
Verified that we are using standard, documented XML elements such as <intercept-url pattern="/**" access="authenticated"/> -
Reviewed the Spring Security documentation for XML-based configuration, which continues to include examples using <intercept-url>. -
Searched for migration paths and guidance in the 6.5.0 release notes and migration guides, but found no clear solution applicable to XML setups.
It seems that Spring Security internally translates XML elements into the deprecated http.authorizeRequests() configuration, leading to the warning—even when only using officially supported XML configuration.
This creates a paradox for XML users—while XML configuration is officially supported, it results in deprecation warnings with no clear or documented way to resolve them.
Any guidance or clarification would be greatly appreciated.