From fb95239bac74149c822bf24269bb3b910143c849 Mon Sep 17 00:00:00 2001
From: seungchan <s24041@gsm.hs.kr>
Date: Thu, 4 Jun 2026 12:08:37 +0900
Subject: [PATCH] Add XML configuration guidance to authorizeRequests
 deprecation warning

When using XML configuration with <intercept-url>, Spring Security
internally registers a FilterSecurityInterceptor, which triggers
the authorizeRequests deprecation warning. However, the warning
message previously provided no actionable guidance for XML users.

This commit adds a note to the deprecation warning indicating that
XML users should add use-authorization-manager="true" to their
<http> element to migrate to the modern authorization model.

Closes gh-17259

Signed-off-by: seungchan <s24041@gsm.hs.kr>
---
 .../config/http/DefaultFilterChainValidator.java         | 4 +++-
 .../config/http/DefaultFilterChainValidatorTests.java    | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
index 4b1c39d2044..cabd81145a5 100644
--- a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
+++ b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
@@ -126,7 +126,9 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration. "
+								+ "If you are using XML configuration with <intercept-url>, "
+								+ "add use-authorization-manager=\"true\" to your <http> element.");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;
diff --git a/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java b/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java
index c73af6e3fd2..c207e6bdb39 100644
--- a/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java
@@ -132,6 +132,15 @@ public void validateCheckLoginPageAllowsAnonymous() {
 				+ "access to the configured login page. (Simulated access was rejected)");
 	}
 
+	@Test
+	void validateWhenOnlyFilterSecurityInterceptorThenWarnWithXmlGuidance() {
+		this.validator.validate(this.chain);
+		verify(this.logger).warn(
+				"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration. "
+						+ "If you are using XML configuration with <intercept-url>, "
+						+ "add use-authorization-manager=\"true\" to your <http> element.");
+	}
+
 	// SEC-1957
 	@Test
 	public void validateCustomMetadataSource() {