Spring security took a big leap in version 6, which forces a lot of code in older version having to be upgraded first. The transition from DecisionManager to AuthorizationManager is one of the essential migrations.

I’ve noticed that there is a big difference when you want to apply multiple authorization rules so decided to write this article to note it.

In the versions before 6, the behavior behind spring security seems loop all the rules and execute actions on all eligible results. This means if you have specified a global wildcard rule and a specific path rule, they will both be execute. But in version 6, behavior has been changed to execute the rule on the first matching rule. How do we still achieve the same result as before? Spring team has provided a way for you to chain these authorization managers together.

AuthorizationManager am = AuthorizationManagers.allOf(scope1AuthManager, scope2AuthManager)

requests
    .requestMatchers(HttpMethod.GET, "/v1/users/**")
    .access(am)

This helps you to create modularised authrization managers and can be re-used in other places.