use-authorization-manager defaults to true

Closes gh-11929

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -716,12 +716,15 @@ class HttpConfigurationBuilder {
 	}
 
 	private void createFilterSecurity(BeanReference authManager) {
-		boolean useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
+		if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
-		if (useAuthorizationManager) {
 			createAuthorizationFilter();
 			return;
 		}
-		if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
+		boolean useAuthorizationManager = true;
+		if (StringUtils.hasText(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
+			useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
+		}
+		if (useAuthorizationManager) {
 			createAuthorizationFilter();
 			return;
 		}

config/src/main/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecorator.java

@@ -93,10 +93,13 @@ public class InterceptMethodsBeanDefinitionDecorator implements BeanDefinitionDe
 
 		boolean supports(Node node) {
 			Element interceptMethodsElt = (Element) node;
-			if (Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
+			if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
 				return true;
 			}
-			return StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR));
+			if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
+				return Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
+			}
+			return true;
 		}
 
 		private Pointcut pointcut(Element interceptorElt, Element protectElt) {

config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

@@ -159,7 +159,10 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 	}
 
 	private String parseAuthorization(Element element, ParserContext parserContext) {
-		boolean useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
+		boolean useAuthorizationManager = true;
+		if (StringUtils.hasText(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR))) {
+			useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
+		}
 		if (useAuthorizationManager) {
 			return parseAuthorizationManager(element, parserContext);
 		}

config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc

@@ -178,7 +178,7 @@ intercept-methods.attlist &=
 	## Optional AccessDecisionManager bean ID to be used by the created method security interceptor.
 	attribute access-decision-manager-ref {xsd:token}?
 intercept-methods.attlist &=
-	## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
+	## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
 	attribute use-authorization-manager {xsd:boolean}?
 intercept-methods.attlist &=
 	## Use this AuthorizationManager instead of the default (supercedes use-authorization-manager)
@@ -306,7 +306,7 @@ websocket-message-broker.attrlist &=
 	## Use this AuthorizationManager instead of deriving one from <intercept-message> elements
 	attribute authorization-manager-ref {xsd:string}?
 websocket-message-broker.attrlist &=
-	## Use AuthorizationManager API instead of SecurityMetadatasource
+	## Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
 	attribute use-authorization-manager {xsd:boolean}?
 websocket-message-broker.attrlist &=
 	## Use this SecurityContextHolderStrategy (note only supported in conjunction with the AuthorizationManager API)
@@ -368,7 +368,7 @@ http.attlist &=
 	## If available, runs the request as the Subject acquired from the JaasAuthenticationToken. Defaults to "false".
 	attribute jaas-api-provision {xsd:boolean}?
 http.attlist &=
-	## Use AuthorizationManager API instead of SecurityMetadataSource
+	## Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
 	attribute use-authorization-manager {xsd:boolean}?
 http.attlist &=
 	## Use this AuthorizationManager instead of deriving one from <intercept-url> elements

config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd

@@ -542,7 +542,7 @@
       </xs:attribute>
       <xs:attribute name="use-authorization-manager" type="xs:boolean">
          <xs:annotation>
-            <xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
+            <xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
@@ -967,7 +967,7 @@
       </xs:attribute>
       <xs:attribute name="use-authorization-manager" type="xs:boolean">
          <xs:annotation>
-            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource
+            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
@@ -1325,7 +1325,7 @@
       </xs:attribute>
       <xs:attribute name="use-authorization-manager" type="xs:boolean">
          <xs:annotation>
-            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource
+            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>

config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java

@@ -108,7 +108,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
 	public void parsingWithinFilterSecurityInterceptorIsSuccessful() {
 		// @formatter:off
 		setContext("<b:bean class=\"org.springframework.web.servlet.handler.HandlerMappingIntrospector\" name=\"mvcHandlerMappingIntrospector\"/>" +
-				"<http auto-config='true' use-expressions='false'/>"
+				"<http auto-config='true' use-expressions='false' use-authorization-manager='false'/>"
 				+ "<b:bean id='fsi' class='org.springframework.security.web.access.intercept.FilterSecurityInterceptor' autowire='byType'>"
 				+ "   <b:property name='securityMetadataSource'>"
 				+ "       <filter-security-metadata-source use-expressions='false'>"

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -84,6 +84,7 @@ import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
 import org.springframework.security.web.access.channel.ChannelProcessingFilter;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@@ -849,8 +850,7 @@ public class MiscHttpConfigTests {
 		assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class);
 		assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class);
 		assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
-		assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
+		assertThat(filters.next()).isInstanceOf(AuthorizationFilter.class);
-				.hasFieldOrPropertyWithValue("observeOncePerRequest", false);
 	}
 
 	private <T extends Filter> T getFilter(Class<T> filterClass) {

config/src/test/java/org/springframework/security/config/http/NamespaceHttpBasicTests.java

@@ -99,7 +99,7 @@ public class NamespaceHttpBasicTests {
 	@Test
 	public void httpBasicCustomSecurityContextHolderStrategy() throws Exception {
 		// @formatter:off
-		loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\"/>\n"
+		loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\" use-authorization-manager=\"false\"/>\n"
 				+  "<authentication-manager id=\"authenticationManager\">\n"
 				+  "	<authentication-provider>\n"
 				+  "		<user-service>\n"

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-AutoConfig.xml

@@ -23,7 +23,9 @@
 		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<http-firewall ref="firewall"/>
-	<http auto-config="true"/>
+	<http auto-config="true">
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
 
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
 

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-CsrfDisabled.xml

@@ -23,6 +23,7 @@
 
 	<http auto-config="true">
 		<csrf disabled="true"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-CsrfEnabled.xml

@@ -25,6 +25,7 @@
 	<http-firewall ref="firewall"/>
 	<http auto-config="true">
 		<intercept-url pattern="/authenticated/**" access="authenticated"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 		<csrf/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithRequestMatcher.xml

@@ -21,7 +21,7 @@
 		 xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
 		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<csrf request-matcher-ref="requestMatcher"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithSessionManagement.xml

@@ -21,7 +21,7 @@
 		 xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
 		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<session-management invalid-session-url="/error/sessionError"/>
 		<csrf/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithXorCsrfTokenRequestAttributeHandler.xml

@@ -24,6 +24,7 @@
 
 	<http auto-config="true">
 		<csrf request-handler-ref="requestHandler"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-ForSec2919.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login login-page="/login"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-ForSec3147.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login login-page="/login"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-NoLeadingSlashDefaultTargetUrl.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login default-target-url="noLeadingSlash"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-NoLeadingSlashLoginPage.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login login-page="noLeadingSlash"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-UsingSpel.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login
 				default-target-url="#{T(org.springframework.security.config.http.WebConfigUtilsTests).URL}/default"

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithAntRequestMatcher.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false" request-matcher="ant">
+	<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithCsrfDisabled.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<csrf disabled="true"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithCsrfEnabled.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<csrf disabled="false"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithCustomSecurityContextHolderStrategy.xml

@@ -24,7 +24,8 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false" security-context-holder-strategy-ref="ref">
+	<http auto-config="true" security-context-holder-strategy-ref="ref">
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithDefaultTargetUrl.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login always-use-default-target="true" default-target-url="/default"/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithSuccessAndFailureHandlers.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false" request-matcher="ant">
+	<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login authentication-success-handler-ref="fsh" authentication-failure-handler-ref="fsh"/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithUsernameAndPasswordParameters.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login username-parameter="xname" password-parameter="xpass"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/HttpConfigTests-Minimal.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/HttpConfigTests-MinimalAuthorizationManager.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-authorization-manager="true">
+	<http auto-config="true">
 		<intercept-url pattern="/**" access="hasRole('USER')"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/HttpCorsConfigTests-RequiresMvc.xml

@@ -25,7 +25,7 @@
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<cors/>
 	</http>
 </b:beans>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-CacheControlDisabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<cache-control disabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentSecurityPolicyWithEmptyDirectives.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers>
 			<content-security-policy policy-directives=""/>
 		</headers>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentSecurityPolicyWithPolicyDirectives.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers>
 			<content-security-policy policy-directives="default-src 'self'"/>
 		</headers>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentSecurityPolicyWithReportOnly.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers>
 			<content-security-policy
 					policy-directives="default-src https:; report-uri https://example.org/"

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentTypeOptionsDisabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<content-type-options disabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultConfig.xml

@@ -24,7 +24,9 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true"/>
+	<http auto-config="true">
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
 

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCacheControl.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<cache-control/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithContentSecurityPolicy.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<content-security-policy policy-directives="default-src 'self'"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithContentTypeOptions.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 				<content-type-options/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCrossOriginEmbedderPolicy.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<cross-origin-embedder-policy policy="require-corp"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCrossOriginOpenerPolicy.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<cross-origin-opener-policy policy="same-origin-allow-popups"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCrossOriginPolicies.xml

@@ -30,6 +30,7 @@
 			<cross-origin-embedder-policy policy="require-corp"/>
 			<cross-origin-resource-policy policy="same-origin"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCrossOriginResourcePolicy.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<cross-origin-resource-policy policy="same-origin"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCustomHeader.xml

@@ -29,6 +29,7 @@
 			<header name="a" value="b"/>
 			<header name="c" value="d"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCustomHeaderWriter.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<header ref="static"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="static" class="org.springframework.security.web.header.writers.StaticHeadersWriter">

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCustomHstsRequestMatcher.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<hsts include-subdomains="false" max-age-seconds="1" request-matcher-ref="any"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="any" class="org.springframework.security.web.util.matcher.AnyRequestMatcher"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithFrameOptions.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<frame-options/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithFrameOptionsAllowFrom.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<frame-options policy="ALLOW-FROM" strategy="static" value="https://example.org"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithFrameOptionsAllowFromWhitelist.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<frame-options policy="ALLOW-FROM" strategy="whitelist" value="https://example.org"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithFrameOptionsDeny.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<frame-options policy="DENY"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithFrameOptionsSameOrigin.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<frame-options policy="SAMEORIGIN"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithHpkp.xml

@@ -32,6 +32,7 @@
 				</pins>
 			</hpkp>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithHpkpDefaults.xml

@@ -32,6 +32,7 @@
 				</pins>
 			</hpkp>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithHpkpIncludeSubdomains.xml

@@ -32,6 +32,7 @@
 				</pins>
 			</hpkp>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithHpkpMaxAge.xml

@@ -32,6 +32,7 @@
 				</pins>
 			</hpkp>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithHpkpReport.xml

@@ -32,6 +32,7 @@
 				</pins>
 			</hpkp>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithHpkpReportUri.xml

@@ -32,6 +32,7 @@
 				</pins>
 			</hpkp>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithHsts.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<hsts/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithNoOverride.xml

@@ -26,6 +26,7 @@
 
 	<http auto-config="true">
 		<headers defaults-disabled="true"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithPermissionsPolicy.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<permissions-policy policy="geolocation=(self)"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithPlaceholder.xml

@@ -26,6 +26,7 @@
 
 	<http auto-config="true">
 		<headers defaults-disabled="${security.headers.defaults.disabled}"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithReferrerPolicy.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<referrer-policy/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithReferrerPolicySameOrigin.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<referrer-policy policy="same-origin"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtection.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtectionDisabled.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection enabled="false"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtectionDisabledAndBlockSet.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection enabled="false" block="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtectionDisabledAndHeaderValueOne.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection enabled="false" header-value="1"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtectionEnabled.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection enabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtectionHeaderValueOne.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection header-value="1"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtectionHeaderValueOneModeBlock.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection header-value="1; mode=block"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithXssProtectionHeaderValueZero.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<xss-protection header-value="0"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DisabledWithPlaceholder.xml

@@ -26,6 +26,7 @@
 
 	<http auto-config="true">
 		<headers disabled="${security.headers.disabled}" />
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-FrameOptionsDisabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<frame-options disabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-FrameOptionsDisabledSpecifyingPolicy.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<frame-options disabled="true" policy="DENY"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HeadersDisabled.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers disabled="true"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HeadersDisabledHavingChildElement.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers disabled="true">
 			<content-type-options/>
 		</headers>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HeadersDisabledWithContentSecurityPolicy.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers disabled="true">
 			<content-security-policy policy-directives="default-src 'self'"/>
 		</headers>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HeadersEnabled.xml

@@ -26,6 +26,7 @@
 
 	<http auto-config="true">
 		<headers/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HpkpDisabled.xml

@@ -32,6 +32,7 @@
 				</pins>
 			</hpkp>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HstsDisabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<hsts disabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HstsDisabledSpecifyingIncludeSubdomains.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<hsts disabled="true" include-subdomains="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HstsDisabledSpecifyingMaxAge.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<hsts disabled="true" max-age-seconds="1"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HstsDisabledSpecifyingRequestMatcher.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<hsts disabled="true" request-matcher-ref="dave"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-WithFrameOptions.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<frame-options policy="SAMEORIGIN"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-XssProtectionDisabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<xss-protection disabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-XssProtectionDisabledAndEnabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<xss-protection disabled="true" enabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-XssProtectionDisabledSpecifyingBlock.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<xss-protection disabled="true" block="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-XssProtectionDisabledSpecifyingHeaderValue.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<xss-protection disabled="true" header-value="1"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpInterceptUrlTests-interceptUrlWhenRequestMatcherRefThenWorks.xml

@@ -9,6 +9,7 @@
 	<http>
 		<http-basic/>
 		<intercept-url request-matcher-ref="matcherRef" access="denyAll"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<user-service>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-AntMatcherServletPath.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http request-matcher="ant">
+	<http request-matcher="ant" use-authorization-manager="false">
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-AntMatcherServletPathAuthorizationManager.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http request-matcher="ant" use-authorization-manager="true">
+	<http request-matcher="ant">
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CamelCasePathVariables.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true">
+	<http auto-config="true" use-authorization-manager="false">
 		<intercept-url pattern="/path/{userName}/**" access="#userName == authentication.name"/>
 		<intercept-url pattern="/**" access="denyAll"/>
 		<http-basic/>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CamelCasePathVariablesAuthorizationManager.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-authorization-manager="true">
+	<http auto-config="true">
 		<intercept-url pattern="/path/{userName}/**" access="#userName == authentication.name"/>
 		<intercept-url pattern="/**" access="denyAll"/>
 		<http-basic/>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcherServletPath.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http request-matcher="ciRegex">
+	<http request-matcher="ciRegex" use-authorization-manager="false">
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcherServletPathAuthorizationManager.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http request-matcher="ciRegex" use-authorization-manager="true">
+	<http request-matcher="ciRegex">
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPath.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http>
+	<http use-authorization-manager="false">
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPathAuthorizationManager.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http use-authorization-manager="true">
+	<http>
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-HasAnyRole.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true">
+	<http auto-config="true" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER', 'ROLE_USER')"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-HasAnyRoleAuthorizationManager.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-authorization-manager="true">
+	<http auto-config="true">
 		<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER', 'ROLE_USER')"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MvcMatchers.xml

@@ -27,7 +27,7 @@
 			http://www.springframework.org/schema/mvc
 			https://www.springframework.org/schema/mvc/spring-mvc.xsd">
 
-	<http auto-config="true" request-matcher="mvc">
+	<http auto-config="true" request-matcher="mvc" use-authorization-manager="false">
 		<intercept-url pattern="/path" access="denyAll"/>
 		<http-basic/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MvcMatchersAuthorizationManager.xml

@@ -27,7 +27,7 @@
 			http://www.springframework.org/schema/mvc
 			https://www.springframework.org/schema/mvc/spring-mvc.xsd">
 
-	<http auto-config="true" request-matcher="mvc" use-authorization-manager="true">
+	<http auto-config="true" request-matcher="mvc">
 		<intercept-url pattern="/path" access="denyAll"/>
 		<http-basic/>
 	</http>