Spring Security 5.6+: Replace @EnableGlobalMethodSecurity with @EnableMethodSecurity

[timtebeek]

https://docs.spring.io/spring-security/reference/5.7.0/servlet/authorization/method-security.html#_enablemethodsecurity

In Spring Security 5.6, we can enable annotation-based security using the @EnableMethodSecurity annotation on any @Configuration instance.

This improves upon @EnableGlobalMethodSecurity in a number of ways. @EnableMethodSecurity:

1. Uses the simplified AuthorizationManager API instead of metadata sources, config attributes, decision managers, and voters. This simplifies reuse and customization.
2. Favors direct bean-based configuration, instead of requiring extending GlobalMethodSecurityConfiguration to customize beans
3. Is built using native Spring AOP, removing abstractions and allowing you to use Spring AOP building blocks to customize
4. Checks for conflicting annotations to ensure an unambiguous security configuration
5. Complies with JSR-250
6. Enables @PreAuthorize, @PostAuthorize, @PreFilter, and @PostFilter by default

Conversion could be rather easy at first glance;

1. @EnableMethodSecurity is itself annotated with @Configuration, so that annotation can be removed if present.
2. prePostEnabled is now true by default, so that parameter can be removed if set to true.
3. There is no order argument anymore; remove the argument.