Spring Security 3.2.0.RC1 - <http> element and deprecated method

Question

After upgrading to Spring Security 3.2.0.RC1 I'm getting the warning "Method 'setFilterProcessesUrl' is marked deprecated" for <http auto-config="true"> in my xml config. I get this warning even for a very simple configuration:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <http auto-config="true">
        <intercept-url pattern="/myurl*" access="ROLE_USER" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user1" password="12345" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

According to Spring Security 3.2 API documentation setFilterProcessesUrl is deprecated and setRequiresAuthenticationRequestMatcher(RequestMatcher) should be used instead. How can I change this basic XML configuration, so it doesn't use deprecated methods? I'm using Eclipse Kepler with Spring Tool Suite plugin.

UPDATE:

If I remove <http auto-config="true"> and add <form-login /> to the http element

<http>
    <intercept-url pattern="/myurl*" access="ROLE_USER" />
    <form-login />
</http>

I also get the "Method 'setFilterProcessesUrl' is marked deprecated" warning and if I add <logout /> I get the same warning the second time. On the other hand, if I replace <form-login /> and <logout /> with <http-basic /> the warnings go away.

Answer 1

Fixed in Spring Security 3.2.1. The warnings were caused by XML namespace using a deprecated method. https://jira.springsource.org/browse/SEC-2455

Answer 2

If you are using the namespace then an IDE error like this doesn't really matter, since you can guarantee that Spring Security will support the feature. You aren't actually using the method yourself.

auto-config is a bad idea generally. Someone looking at that configuration won't easily know what it actually does. Do you really want basic authentication, for example? You are best to remove auto-config and explicitly add the features you want.