Use authorizeHttpRequests

Issue gh-15174

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -331,8 +331,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin((formLogin) -&gt;
@@ -465,8 +465,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.jee((jee) -&gt;
@@ -545,8 +545,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.x509(withDefaults());
@@ -582,8 +582,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -865,8 +865,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.requestCache((requestCache) -&gt;
@@ -904,8 +904,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			// sample exception handling customization
@@ -1042,8 +1042,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1098,8 +1098,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1135,8 +1135,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1188,8 +1188,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults());
@@ -1218,8 +1218,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin((formLogin) -&gt;
@@ -1298,8 +1298,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.saml2Login(withDefaults());
@@ -1387,7 +1387,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *		&#064;Bean
 	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
 	 *			http
-	 *				.authorizeRequests((authorize) -&gt; authorize
+	 *				.authorizeHttpRequests((authorize) -&gt; authorize
 	 *					.anyRequest().authenticated()
 	 *				)
 	 *				.saml2Login(withDefaults())
@@ -1516,8 +1516,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.oauth2Login(withDefaults());
@@ -1596,8 +1596,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.oauth2Client(withDefaults());
@@ -1635,8 +1635,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.oauth2ResourceServer((oauth2ResourceServer) -&gt;
@@ -1731,8 +1731,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1833,8 +1833,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.httpBasic(withDefaults());
@@ -1878,8 +1878,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests(authorizeRequests -&gt;
+	 * 			.authorizeHttpRequests(authorizeHttpRequests -&gt;
-	 * 				authorizeRequests
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.passwordManagement(passwordManagement -&gt;

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java

@@ -99,11 +99,11 @@ final class WebSecurityFilterChainValidator implements FilterChainProxy.FilterCh
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java

@@ -126,11 +126,11 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;

config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt

@@ -40,7 +40,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher
  *     @Bean
  *     fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
  *         http {
- *             authorizeRequests {
+ *             authorizeHttpRequests {
  *                 authorize("/public", permitAll)
  *                 authorize(anyRequest, authenticated)
  *             }

config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java

@@ -52,7 +52,7 @@ public class SecurityConfig {
 	SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeRequests((requests) -> requests
+			.authorizeHttpRequests((requests) -> requests
 				.requestMatchers(pathPattern("/*")).permitAll())
 			.authenticationProvider(authenticationProvider());
 		// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/sec2758/Sec2758Tests.java

@@ -38,7 +38,9 @@ import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -84,11 +86,13 @@ public class Sec2758Tests {
 	static class SecurityConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, WebExpressionAuthorizationManager.Builder authz)
+				throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.anyRequest().access("hasAnyRole('CUSTOM')"));
+					.anyRequest().access(authz.expression("hasAnyRole('CUSTOM')"))
+				);
 			return http.build();
 			// @formatter:on
 		}
@@ -103,6 +107,16 @@ public class Sec2758Tests {
 			return new DefaultRolesPrefixPostProcessor();
 		}
 
+		@Bean
+		static WebExpressionAuthorizationManager.Builder authz(DefaultHttpSecurityExpressionHandler expressionHandler) {
+			return WebExpressionAuthorizationManager.withExpressionHandler(expressionHandler);
+		}
+
+		@Bean
+		static DefaultHttpSecurityExpressionHandler expressionHandler() {
+			return new DefaultHttpSecurityExpressionHandler();
+		}
+
 		@RestController
 		static class RootController {
 
@@ -140,6 +154,9 @@ public class Sec2758Tests {
 			if (bean instanceof DefaultWebSecurityExpressionHandler) {
 				((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix(null);
 			}
+			if (bean instanceof DefaultHttpSecurityExpressionHandler http) {
+				http.setDefaultRolePrefix("");
+			}
 			return bean;
 		}
 

config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java

@@ -85,7 +85,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(pathPattern("/demo/**")).permitAll());
 			return http.build();
@@ -102,7 +102,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 		SecurityFilterChain filterChain(HttpSecurity http, PathPatternRequestMatcher.Builder builder) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(builder.matcher("/demo/**")).permitAll());
 			return http.build();
@@ -119,7 +119,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(new RegexRequestMatcher(".*", null)).permitAll());
 			return http.build();
@@ -136,7 +136,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.anyRequest().permitAll());
 			return http.build();
@@ -153,7 +153,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(pathPattern("/**")).permitAll());
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java

@@ -152,7 +152,7 @@ public class HttpConfigurationTests {
 				.securityMatchers((security) -> security
 					.requestMatchers(pathPattern("/api/**"))
 					.requestMatchers(pathPattern("/oauth/**")))
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.httpBasic(withDefaults());
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAuthenticationManagerTests.java

@@ -84,7 +84,7 @@ public class HttpSecurityAuthenticationManagerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authz) -> authz
+					.authorizeHttpRequests((authz) -> authz
 							.anyRequest().authenticated()
 					)
 					.httpBasic(withDefaults())
@@ -106,7 +106,7 @@ public class HttpSecurityAuthenticationManagerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authz) -> authz
+					.authorizeHttpRequests((authz) -> authz
 						.anyRequest().authenticated()
 					)
 					.httpBasic(withDefaults())

config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java

@@ -16,6 +16,10 @@
 
 package org.springframework.security.config.annotation.web.builders;
 
+import java.util.Collection;
+import java.util.LinkedHashMap;
+import java.util.function.Supplier;
+
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
 
@@ -25,17 +29,20 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.DependsOn;
 import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.access.SecurityMetadataSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
-import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
@@ -47,15 +54,15 @@ import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource;
-import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
-import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.RegexRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.stereotype.Controller;
@@ -99,14 +106,12 @@ public class NamespaceHttpTests {
 
 	@Test // http@access-decision-manager-ref
 	public void configureWhenAccessDecisionManagerSetThenVerifyUse() throws Exception {
-		AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER = mock(AccessDecisionManager.class);
-		given(AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER.supports(FilterInvocation.class)).willReturn(true);
-		given(AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER.supports(any(ConfigAttribute.class)))
-			.willReturn(true);
 		this.spring.register(AccessDecisionManagerRefConfig.class).autowire();
+		AccessDecisionManager accessDecisionManager = this.spring.getContext().getBean(AccessDecisionManager.class);
+		given(accessDecisionManager.supports(FilterInvocation.class)).willReturn(true);
+		given(accessDecisionManager.supports(any(ConfigAttribute.class))).willReturn(true);
 		this.mockMvc.perform(get("/"));
-		verify(AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER, times(1)).decide(any(Authentication.class),
+		verify(accessDecisionManager, times(1)).decide(any(Authentication.class), any(), anyCollection());
-				any(), anyCollection());
 	}
 
 	@Test // http@access-denied-page
@@ -267,39 +272,61 @@ public class NamespaceHttpTests {
 			.isAssignableFrom(MainController.HTTP_SERVLET_REQUEST_TYPE);
 	}
 
-	@Test // http@use-expressions=true
-	public void configureWhenUseExpressionsEnabledThenExpressionBasedSecurityMetadataSource() {
-		this.spring.register(UseExpressionsConfig.class).autowire();
-		UseExpressionsConfig config = this.spring.getContext().getBean(UseExpressionsConfig.class);
-		assertThat(ExpressionBasedFilterInvocationSecurityMetadataSource.class)
-			.isAssignableFrom(config.filterInvocationSecurityMetadataSourceType);
-	}
-
-	@Test // http@use-expressions=false
-	public void configureWhenUseExpressionsDisabledThenDefaultSecurityMetadataSource() {
-		this.spring.register(DisableUseExpressionsConfig.class).autowire();
-		DisableUseExpressionsConfig config = this.spring.getContext().getBean(DisableUseExpressionsConfig.class);
-		assertThat(DefaultFilterInvocationSecurityMetadataSource.class)
-			.isAssignableFrom(config.filterInvocationSecurityMetadataSourceType);
-	}
-
 	@Configuration
 	@EnableWebSecurity
 	static class AccessDecisionManagerRefConfig {
 
-		static AccessDecisionManager ACCESS_DECISION_MANAGER;
+		AccessDecisionManager accessDecisionManager = mock(AccessDecisionManager.class);
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.anyRequest().permitAll()
+					.anyRequest().access(new AccessAuthorizationManagerAdapter(this.accessDecisionManager, "permitAll"))
-					.accessDecisionManager(ACCESS_DECISION_MANAGER));
+				);
 			return http.build();
 			// @formatter:on
 		}
 
+		@Bean
+		AccessDecisionManager accessDecisionManager() {
+			return this.accessDecisionManager;
+		}
+
+		private static final class AccessAuthorizationManagerAdapter
+				implements AuthorizationManager<RequestAuthorizationContext> {
+
+			private final AccessDecisionManager delegate;
+
+			private final SecurityMetadataSource metadataSource;
+
+			private AccessAuthorizationManagerAdapter(AccessDecisionManager delegate, String expression) {
+				this.delegate = delegate;
+				LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> mappings = new LinkedHashMap<>();
+				mappings.put(AnyRequestMatcher.INSTANCE, SecurityConfig.createList(expression));
+				DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
+				this.metadataSource = new ExpressionBasedFilterInvocationSecurityMetadataSource(mappings, handler);
+			}
+
+			@Override
+			public AuthorizationResult authorize(Supplier<Authentication> authentication,
+					RequestAuthorizationContext object) {
+				HttpServletRequest request = object.getRequest();
+				FilterInvocation invocation = new FilterInvocation(request.getContextPath(), request.getServletPath(),
+						request.getPathInfo(), request.getQueryString(), request.getMethod());
+				Collection<ConfigAttribute> attributes = this.metadataSource.getAttributes(invocation);
+				try {
+					this.delegate.decide(authentication.get(), invocation, attributes);
+					return new AuthorizationDecision(true);
+				}
+				catch (AccessDeniedException ex) {
+					return new AuthorizationDecision(false);
+				}
+			}
+
+		}
+
 	}
 
 	@Configuration
@@ -311,7 +338,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.exceptionHandling((handling) -> handling
@@ -337,7 +364,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin(withDefaults());
 			return http.build();
@@ -354,7 +381,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().permitAll())
 				.sessionManagement((management) -> management
 					.sessionCreationPolicy(SessionCreationPolicy.ALWAYS));
@@ -372,7 +399,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().permitAll())
 				.sessionManagement((management) -> management
 					.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
@@ -391,7 +418,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/unsecure").permitAll()
 					.anyRequest().authenticated())
 				.sessionManagement((management) -> management
@@ -411,7 +438,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().anonymous())
 				.sessionManagement((management) -> management
 					.sessionCreationPolicy(SessionCreationPolicy.NEVER));
@@ -429,7 +456,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.exceptionHandling((handling) -> handling
 					.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/entry-point")))
@@ -463,7 +490,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic((basic) -> basic
 					.realmName("RealmConfig"));
@@ -553,7 +580,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.securityContext((context) -> context
 					.securityContextRepository(new NullSecurityContextRepository()))
@@ -577,7 +604,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().permitAll())
 				.servletApi((api) -> api
 					.disable());
@@ -595,7 +622,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().permitAll());
 			return http.build();
 			// @formatter:on
@@ -616,76 +643,4 @@ public class NamespaceHttpTests {
 
 	}
 
-	@Configuration
-	@EnableWebSecurity
-	@EnableWebMvc
-	static class UseExpressionsConfig {
-
-		private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
-
-		private HttpSecurity httpSecurity;
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			http
-				.authorizeRequests((requests) -> requests
-					.requestMatchers("/users**", "/sessions/**").hasRole("USER")
-					.requestMatchers("/signup").permitAll()
-					.anyRequest().hasRole("USER"));
-			this.httpSecurity = http;
-			return http.build();
-			// @formatter:on
-		}
-
-		@Bean
-		@DependsOn("filterChain")
-		WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.postBuildAction(() -> {
-				FilterSecurityInterceptor securityInterceptor = this.httpSecurity
-					.getSharedObject(FilterSecurityInterceptor.class);
-				UseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor
-					.getSecurityMetadataSource()
-					.getClass();
-			});
-		}
-
-	}
-
-	@Configuration
-	@EnableWebSecurity
-	@EnableWebMvc
-	static class DisableUseExpressionsConfig {
-
-		private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
-
-		private HttpSecurity httpSecurity;
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
-			// @formatter:off
-			http
-				.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
-					.requestMatchers("/users**", "/sessions/**").hasRole("USER")
-					.requestMatchers("/signup").hasRole("ANONYMOUS")
-					.anyRequest().hasRole("USER");
-			this.httpSecurity = http;
-			return http.build();
-			// @formatter:on
-		}
-
-		@Bean
-		@DependsOn("filterChain")
-		WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.postBuildAction(() -> {
-				FilterSecurityInterceptor securityInterceptor = this.httpSecurity
-					.getSharedObject(FilterSecurityInterceptor.class);
-				DisableUseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor
-					.getSecurityMetadataSource()
-					.getClass();
-			});
-		}
-
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java

@@ -138,7 +138,7 @@ public class WebSecurityTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll());
 			// @formatter:on
 			return http.build();
@@ -178,7 +178,7 @@ public class WebSecurityTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll());
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java

@@ -32,7 +32,6 @@ import org.mockito.Mock;
 import org.mockito.MockedStatic;
 import org.mockito.junit.jupiter.MockitoExtension;
 
-import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -85,7 +84,6 @@ import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
@@ -312,22 +310,6 @@ public class HttpSecurityConfigurationTests {
 		assertThat(CustomAuthenticationEventPublisherConfig.EVENTS).hasSize(1);
 	}
 
-	@Test
-	public void configureWhenAuthorizeHttpRequestsBeforeAuthorizeRequestThenException() {
-		assertThatExceptionOfType(BeanCreationException.class)
-			.isThrownBy(() -> this.spring.register(AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig.class).autowire())
-			.withMessageContaining(
-					"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
-	}
-
-	@Test
-	public void configureWhenAuthorizeHttpRequestsAfterAuthorizeRequestThenException() {
-		assertThatExceptionOfType(BeanCreationException.class)
-			.isThrownBy(() -> this.spring.register(AuthorizeHttpRequestsAfterAuthorizeRequestsConfig.class).autowire())
-			.withMessageContaining(
-					"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
-	}
-
 	@Test
 	public void configureWhenDefaultConfigurerAsSpringFactoryThenDefaultConfigurerApplied() {
 		DefaultConfigurer configurer = new DefaultConfigurer();
@@ -472,7 +454,7 @@ public class HttpSecurityConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().permitAll()
 					)
 					.build();
@@ -489,7 +471,7 @@ public class HttpSecurityConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 					)
 					.formLogin(withDefaults())
@@ -516,46 +498,6 @@ public class HttpSecurityConfigurationTests {
 
 	}
 
-	@Configuration
-	@EnableWebSecurity
-	static class AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig {
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			return http
-					.authorizeHttpRequests((authorize) -> authorize
-							.anyRequest().authenticated()
-					)
-					.authorizeRequests((requests) -> requests
-							.anyRequest().authenticated()
-					)
-					.build();
-			// @formatter:on
-		}
-
-	}
-
-	@Configuration
-	@EnableWebSecurity
-	static class AuthorizeHttpRequestsAfterAuthorizeRequestsConfig {
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			return http
-					.authorizeRequests((requests) -> requests
-							.anyRequest().authenticated()
-					)
-					.authorizeHttpRequests((authorize) -> authorize
-							.anyRequest().authenticated()
-					)
-					.build();
-			// @formatter:on
-		}
-
-	}
-
 	@Configuration
 	static class CustomAuthenticationEventPublisherConfig {
 

config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java

@@ -273,7 +273,7 @@ public class OAuth2ClientConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2Login(withDefaults());
 			return http.build();
@@ -311,7 +311,7 @@ public class OAuth2ClientConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2Login(withDefaults());
 			return http.build();
@@ -329,7 +329,7 @@ public class OAuth2ClientConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2Login(withDefaults());
 			return http.build();
@@ -367,7 +367,7 @@ public class OAuth2ClientConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2Login(withDefaults());
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java

@@ -38,7 +38,6 @@ import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
-import org.springframework.expression.ExpressionParser;
 import org.springframework.mock.web.MockFilterChain;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -62,6 +61,7 @@ import org.springframework.security.web.access.PathPatternRequestTransformer;
 import org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.util.ClassUtils;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -71,7 +71,6 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
@@ -137,12 +136,9 @@ public class WebSecurityConfigurationTests {
 
 	@Test
 	public void loadConfigWhenSecurityExpressionHandlerSetThenIsRegistered() {
-		WebSecurityExpressionHandlerConfig.EXPRESSION_HANDLER = mock(SecurityExpressionHandler.class);
-		given(WebSecurityExpressionHandlerConfig.EXPRESSION_HANDLER.getExpressionParser())
-			.willReturn(mock(ExpressionParser.class));
 		this.spring.register(WebSecurityExpressionHandlerConfig.class).autowire();
-		assertThat(this.spring.getContext().getBean(SecurityExpressionHandler.class))
+		assertThat(this.spring.getContext().getBean("webSecurityExpressionHandler", SecurityExpressionHandler.class))
-			.isSameAs(WebSecurityExpressionHandlerConfig.EXPRESSION_HANDLER);
+			.isSameAs(this.spring.getContext().getBean("mock"));
 	}
 
 	@Test
@@ -316,7 +312,7 @@ public class WebSecurityConfigurationTests {
 		// null authentication
 		assertThat(privilegeEvaluator.isAllowed("/user", null)).isFalse();
 		assertThat(privilegeEvaluator.isAllowed("/admin", null)).isFalse();
-		assertThat(privilegeEvaluator.isAllowed("/another", null)).isFalse();
+		assertThat(privilegeEvaluator.isAllowed("/another", null)).isTrue();
 		assertThat(privilegeEvaluator.isAllowed("/ignoring1", null)).isTrue();
 		assertThat(privilegeEvaluator.isAllowed("/ignoring1/child", null)).isTrue();
 	}
@@ -415,7 +411,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			return http
 					.securityMatcher(pathPattern("/role1/**"))
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 							.anyRequest().hasRole("1")
 					)
 					.build();
@@ -428,7 +424,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			return http
 					.securityMatcher(pathPattern("/role2/**"))
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 							.anyRequest().hasRole("2")
 					)
 					.build();
@@ -441,7 +437,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			return http
 					.securityMatcher(pathPattern("/role3/**"))
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 							.anyRequest().hasRole("3")
 					)
 					.build();
@@ -452,7 +448,7 @@ public class WebSecurityConfigurationTests {
 		SecurityFilterChain filterChain4(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("4")
 					)
 					.build();
@@ -472,7 +468,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			return http
 					.securityMatcher(pathPattern("/role1/**"))
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 							.anyRequest().hasRole("1")
 					)
 					.build();
@@ -518,22 +514,16 @@ public class WebSecurityConfigurationTests {
 	@EnableWebSecurity
 	static class WebSecurityExpressionHandlerConfig {
 
-		static SecurityExpressionHandler EXPRESSION_HANDLER;
+		SecurityExpressionHandler<FilterInvocation> expressionHandler = mock(SecurityExpressionHandler.class);
 
 		@Bean
 		WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.expressionHandler(EXPRESSION_HANDLER);
+			return (web) -> web.expressionHandler(this.expressionHandler);
 		}
 
-		@Bean
+		@Bean("mock")
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityExpressionHandler<FilterInvocation> expressionHandler() {
-			// @formatter:off
+			return this.expressionHandler;
-			http
-				.authorizeRequests((requests) -> requests
-					.anyRequest().authenticated()
-					.expressionHandler(EXPRESSION_HANDLER));
-			return http.build();
-			// @formatter:on
 		}
 
 	}
@@ -557,7 +547,7 @@ public class WebSecurityConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated());
 			return http.build();
 			// @formatter:on
@@ -608,7 +598,7 @@ public class WebSecurityConfigurationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated());
 			return http.build();
 			// @formatter:on
@@ -624,7 +614,7 @@ public class WebSecurityConfigurationTests {
 		public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 					)
 					.build();
@@ -638,15 +628,22 @@ public class WebSecurityConfigurationTests {
 	static class DefaultExpressionHandlerSetsBeanResolverConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, WebExpressionAuthorizationManager.Builder authz)
+				throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.anyRequest().access("request.method == 'GET' ? @b.grant() : @b.deny()"));
+					.anyRequest().access(authz.expression("request.method == 'GET' ? @b.grant() : @b.deny()"))
+				);
 			return http.build();
 			// @formatter:on
 		}
 
+		@Bean
+		WebExpressionAuthorizationManager.Builder authz() {
+			return WebExpressionAuthorizationManager.withDefaults();
+		}
+
 		@Bean
 		public MyBean b() {
 			return new MyBean();
@@ -727,7 +724,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			return http
 					.securityMatcher(pathPattern("/role1/**"))
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 							.anyRequest().hasRole("1")
 					)
 					.build();
@@ -766,7 +763,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			http
 				.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/path1/**")))
-				.authorizeRequests((requests) -> requests.anyRequest().authenticated());
+				.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
 			// @formatter:on
 			return http.build();
 		}
@@ -774,7 +771,7 @@ public class WebSecurityConfigurationTests {
 		@Bean
 		@Order(Ordered.LOWEST_PRECEDENCE)
 		public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
-			http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
+			http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
 			return http.build();
 		}
 
@@ -790,7 +787,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			http
 					.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/path1/**")))
-					.authorizeRequests((requests) -> requests.anyRequest().authenticated());
+					.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
 			// @formatter:on
 			return http.build();
 		}
@@ -798,7 +795,7 @@ public class WebSecurityConfigurationTests {
 		@Bean
 		@Order(Ordered.LOWEST_PRECEDENCE)
 		public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
-			http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
+			http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
 			return http.build();
 		}
 
@@ -815,7 +812,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			http
 				.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/user")))
-				.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
+				.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("USER"));
 			// @formatter:on
 			return http.build();
 		}
@@ -826,7 +823,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			http
 				.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/admin")))
-				.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
+				.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
 			// @formatter:on
 			return http.build();
 		}
@@ -834,7 +831,7 @@ public class WebSecurityConfigurationTests {
 		@Bean
 		@Order(Ordered.LOWEST_PRECEDENCE)
 		public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
-			http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
+			http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
 			return http.build();
 		}
 
@@ -857,7 +854,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			http
 					.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/user")))
-					.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
+					.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("USER"));
 			// @formatter:on
 			return http.build();
 		}
@@ -868,7 +865,7 @@ public class WebSecurityConfigurationTests {
 			// @formatter:off
 			http
 					.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/admin")))
-					.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
+					.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
 			// @formatter:on
 			return http.build();
 		}
@@ -876,7 +873,7 @@ public class WebSecurityConfigurationTests {
 		@Bean
 		@Order(Ordered.LOWEST_PRECEDENCE)
 		public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
-			http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
+			http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
 			return http.build();
 		}
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java

@@ -146,9 +146,7 @@ public class AnonymousConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().anonymous())
-						.anyRequest().permitAll()
-				)
 				.anonymous(AbstractHttpConfigurer::disable);
 			// @formatter:on
 			return http.build();
@@ -169,7 +167,7 @@ public class AnonymousConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().permitAll()
 				)
 				.anonymous(withDefaults());

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java

@@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.servlet.MockServletContext;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
@@ -205,7 +206,7 @@ public class AuthorizeRequestsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers(pathPattern(HttpMethod.POST, "/**")).denyAll());
 			// @formatter:on
 			return http.build();
@@ -226,7 +227,7 @@ public class AuthorizeRequestsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.requestMatchers(pathPattern(HttpMethod.POST, "/**")).denyAll()
 				);
 			// @formatter:on
@@ -249,10 +250,11 @@ public class AuthorizeRequestsTests {
 			PathPatternParser parser = new PathPatternParser();
 			parser.setCaseSensitive(false);
 			PathPatternRequestMatcher.Builder builder = PathPatternRequestMatcher.withPathPatternParser(parser);
+			WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#user == 'user'");
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers(builder.matcher("/user/{user}")).access("#user == 'user'")
+					.requestMatchers(builder.matcher("/user/{user}")).access(authz)
 					.anyRequest().denyAll());
 			// @formatter:on
 			return http.build();
@@ -274,10 +276,12 @@ public class AuthorizeRequestsTests {
 			PathPatternParser parser = new PathPatternParser();
 			parser.setCaseSensitive(false);
 			PathPatternRequestMatcher.Builder builder = PathPatternRequestMatcher.withPathPatternParser(parser);
+			WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#userName == 'user'");
+
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers(builder.matcher("/user/{userName}")).access("#userName == 'user'")
+					.requestMatchers(builder.matcher("/user/{userName}")).access(authz)
 					.anyRequest().denyAll());
 			// @formatter:on
 			return http.build();
@@ -298,7 +302,7 @@ public class AuthorizeRequestsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("ADMIN"));
 			// @formatter:on
 			return http.build();
@@ -326,7 +330,7 @@ public class AuthorizeRequestsTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/path").denyAll());
 			// @formatter:on
 			return http.build();
@@ -359,7 +363,7 @@ public class AuthorizeRequestsTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.requestMatchers("/path").denyAll()
 				);
 			// @formatter:on
@@ -394,7 +398,7 @@ public class AuthorizeRequestsTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers(spring.matcher("/path")).denyAll());
 			// @formatter:on
 			return http.build();
@@ -428,7 +432,7 @@ public class AuthorizeRequestsTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.requestMatchers(spring.matcher("/path")).denyAll()
 				);
 			// @formatter:on
@@ -459,11 +463,12 @@ public class AuthorizeRequestsTests {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#userName == 'user'");
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers("/user/{userName}").access("#userName == 'user'"));
+					.requestMatchers("/user/{userName}").access(authz));
 			// @formatter:on
 			return http.build();
 		}
@@ -492,11 +497,12 @@ public class AuthorizeRequestsTests {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#userName == 'user'");
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-						.requestMatchers("/user/{userName}").access("#userName == 'user'")
+						.requestMatchers("/user/{userName}").access(authz)
 				);
 			// @formatter:on
 			return http.build();
@@ -529,7 +535,7 @@ public class AuthorizeRequestsTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/user").denyAll());
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java

@@ -204,7 +204,7 @@ public class CorsConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.cors(withDefaults());
 			return http.build();
@@ -222,7 +222,7 @@ public class CorsConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.cors(withDefaults());
 			return http.build();
@@ -251,7 +251,7 @@ public class CorsConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.cors(withDefaults());
@@ -280,7 +280,7 @@ public class CorsConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.cors(withDefaults());
 			return http.build();
@@ -307,7 +307,7 @@ public class CorsConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.cors(withDefaults());
@@ -335,7 +335,7 @@ public class CorsConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.cors(withDefaults());
 			return http.build();
@@ -362,7 +362,7 @@ public class CorsConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.cors(withDefaults());

config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java

@@ -707,7 +707,7 @@ public class CsrfConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin(withDefaults())
 				.csrf((csrf) -> csrf
@@ -733,7 +733,7 @@ public class CsrfConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin(withDefaults())
 				.csrf((csrf) -> csrf
@@ -937,7 +937,7 @@ public class CsrfConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().permitAll())
 				.formLogin(withDefaults())
 				.httpBasic(withDefaults());

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java

@@ -43,7 +43,7 @@ import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
@@ -121,7 +121,7 @@ public class DefaultFiltersTests {
 		assertThat(classes).contains(SecurityContextHolderAwareRequestFilter.class);
 		assertThat(classes).contains(AnonymousAuthenticationFilter.class);
 		assertThat(classes).contains(ExceptionTranslationFilter.class);
-		assertThat(classes).contains(FilterSecurityInterceptor.class);
+		assertThat(classes).contains(AuthorizationFilter.class);
 	}
 
 	@Test
@@ -190,7 +190,7 @@ public class DefaultFiltersTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"));
 			return http.build();
 			// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java

@@ -387,7 +387,7 @@ public class DefaultLoginPageConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults());
 			// @formatter:on
@@ -409,7 +409,7 @@ public class DefaultLoginPageConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.logout((logout) -> logout
 					.logoutSuccessHandler(new SimpleUrlLogoutSuccessHandler()))
@@ -428,7 +428,7 @@ public class DefaultLoginPageConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.logout((logout) -> logout
 					.logoutSuccessUrl("/login?logout"))
@@ -447,7 +447,7 @@ public class DefaultLoginPageConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults())
 				.rememberMe(withDefaults());
@@ -472,7 +472,7 @@ public class DefaultLoginPageConfigurerTests {
 			http
 				.exceptionHandling((handling) -> handling
 					.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")))
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults());
 			return http.build();
@@ -512,7 +512,7 @@ public class DefaultLoginPageConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 					.anyRequest().authenticated()
 				)
 				.formLogin(withDefaults());
@@ -530,7 +530,7 @@ public class DefaultLoginPageConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 							.anyRequest().authenticated()
 					)
 					.formLogin(withDefaults())

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java

@@ -87,7 +87,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll())
 				.exceptionHandling((handling) -> handling
 					.defaultAccessDeniedHandlerFor(
@@ -113,7 +113,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().denyAll()
 				)
 				.exceptionHandling((exceptionHandling) -> exceptionHandling
@@ -143,7 +143,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll())
 				.exceptionHandling((handling) -> handling
 					.defaultAccessDeniedHandlerFor(

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerTests.java

@@ -292,7 +292,7 @@ public class ExceptionHandlingConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults())
 				.formLogin(withDefaults());
@@ -329,7 +329,7 @@ public class ExceptionHandlingConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults())
 				.formLogin(withDefaults());
@@ -349,7 +349,7 @@ public class ExceptionHandlingConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.exceptionHandling((handling) -> handling
 					.authenticationEntryPoint(AEP))

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurerTests.java

@@ -18,27 +18,30 @@ package org.springframework.security.config.annotation.web.configurers;
 
 import java.io.Serializable;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
+import java.util.function.Supplier;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationListener;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.security.access.PermissionEvaluator;
-import org.springframework.security.access.event.AuthorizedEvent;
-import org.springframework.security.access.expression.SecurityExpressionHandler;
-import org.springframework.security.access.expression.SecurityExpressionOperations;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
-import org.springframework.security.access.vote.AffirmativeBased;
-import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.authentication.RememberMeAuthenticationToken;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationEventPublisher;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
+import org.springframework.security.authorization.event.AuthorizationEvent;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -51,12 +54,13 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.access.IpAddressAuthorizationManager;
-import org.springframework.security.web.access.expression.WebExpressionVoter;
+import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.security.web.access.expression.WebSecurityExpressionRoot;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
+import org.springframework.stereotype.Component;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -67,9 +71,6 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.spy;
-import static org.mockito.Mockito.verify;
 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@@ -79,7 +80,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 /**
- * Tests for {@link ExpressionUrlAuthorizationConfigurer}
+ * Tests for {@link AuthorizeHttpRequestsConfigurer}
  *
  * @author Rob Winch
  * @author Eleftheria Stein
@@ -98,14 +99,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		assertThatExceptionOfType(BeanCreationException.class)
 			.isThrownBy(() -> this.spring.register(HasRoleStartingWithRoleConfig.class).autowire())
 			.withRootCauseInstanceOf(IllegalArgumentException.class)
-			.withMessageContaining(
+			.withMessageContaining("ROLE_USER should not start with ROLE_");
-					"role should not start with 'ROLE_' since it is automatically inserted. Got 'ROLE_USER'");
-	}
-
-	@Test
-	public void configureWhenNoCustomAccessDecisionManagerThenUsesAffirmativeBased() {
-		this.spring.register(NoSpecificAccessDecisionManagerConfig.class).autowire();
-		verify(NoSpecificAccessDecisionManagerConfig.objectPostProcessor).postProcess(any(AffirmativeBased.class));
 	}
 
 	@Test
@@ -113,7 +107,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		assertThatExceptionOfType(BeanCreationException.class)
 			.isThrownBy(() -> this.spring.register(NoRequestsConfig.class).autowire())
 			.withMessageContaining(
-					"At least one mapping is required (i.e. authorizeRequests().anyRequest().authenticated())");
+					"At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())");
 	}
 
 	@Test
@@ -510,13 +504,6 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
 	}
 
-	// SEC-3011
-	@Test
-	public void configureWhenRegisteringObjectPostProcessorThenInvokedOnAccessDecisionManager() {
-		this.spring.register(Sec3011Config.class).autowire();
-		verify(Sec3011Config.objectPostProcessor).postProcess(any(AccessDecisionManager.class));
-	}
-
 	@Test
 	public void getWhenRegisteringPermissionEvaluatorAndPermissionWithIdAndTypeMatchesThenRespondsWithOk()
 			throws Exception {
@@ -567,7 +554,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("ROLE_USER"));
 			return http.build();
 			// @formatter:on
@@ -575,29 +562,6 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	}
 
-	@Configuration
-	@EnableWebSecurity
-	static class NoSpecificAccessDecisionManagerConfig {
-
-		static ObjectPostProcessor<Object> objectPostProcessor = spy(ReflectingObjectPostProcessor.class);
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			http
-				.authorizeRequests((requests) -> requests
-					.anyRequest().hasRole("USER"));
-			return http.build();
-			// @formatter:on
-		}
-
-		@Bean
-		static ObjectPostProcessor<Object> objectPostProcessor() {
-			return objectPostProcessor;
-		}
-
-	}
-
 	@Configuration
 	@EnableWebSecurity
 	static class NoRequestsConfig {
@@ -606,7 +570,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests(withDefaults());
+				.authorizeHttpRequests(withDefaults());
 			return http.build();
 			// @formatter:on
 		}
@@ -622,7 +586,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/a").authenticated()
 					.anyRequest());
 			return http.build();
@@ -640,7 +604,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyAuthority("ROLE_USER"));
 			return http.build();
 			// @formatter:on
@@ -657,7 +621,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAuthority("ROLE_USER"));
 			return http.build();
 			// @formatter:on
@@ -674,7 +638,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyAuthority("ROLE_USER", "ROLE_ADMIN"));
 			return http.build();
 			// @formatter:on
@@ -690,7 +654,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyRole("USER"));
 			return http.build();
 			// @formatter:on
@@ -706,7 +670,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyRole("USER"));
 			return http.build();
 			// @formatter:on
@@ -727,7 +691,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyRole("USER"));
 			return http.build();
 			// @formatter:on
@@ -748,7 +712,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyRole("USER", "ADMIN"));
 			return http.build();
 			// @formatter:on
@@ -764,7 +728,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyRole("USER", "ADMIN"));
 			return http.build();
 			// @formatter:on
@@ -785,7 +749,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasAnyRole("USER", "ADMIN"));
 			return http.build();
 			// @formatter:on
@@ -807,8 +771,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.anyRequest().hasIpAddress("192.168.1.0"));
+					.anyRequest().access(IpAddressAuthorizationManager.hasIpAddress("192.168.1.0"))
+				);
 			return http.build();
 			// @formatter:on
 		}
@@ -824,7 +789,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().anonymous());
 			return http.build();
 			// @formatter:on
@@ -842,7 +807,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			http
 				.rememberMe(withDefaults())
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().rememberMe());
 			// @formatter:on
 			return http.build();
@@ -864,7 +829,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll());
 			return http.build();
 			// @formatter:on
@@ -881,7 +846,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().not().denyAll());
 			return http.build();
 			// @formatter:on
@@ -899,7 +864,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			http
 				.rememberMe(withDefaults())
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().fullyAuthenticated());
 			return http.build();
 			// @formatter:on
@@ -918,12 +883,13 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager(
+					"hasRole('ROLE_USER') or request.method == 'GET'");
 			// @formatter:off
 			http
 				.rememberMe(withDefaults())
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests.anyRequest().access(authz));
-					.anyRequest().access("hasRole('ROLE_USER') or request.method == 'GET'"));
 			return http.build();
 			// @formatter:on
 		}
@@ -944,9 +910,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
-				.authorizeRequests(withDefaults());
+				.authorizeHttpRequests(withDefaults());
 			return http.build();
 			// @formatter:on
 		}
@@ -960,15 +926,10 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			SecurityExpressionHandler<FilterInvocation> handler = new DefaultWebSecurityExpressionHandler();
-			WebExpressionVoter expressionVoter = new WebExpressionVoter();
-			AffirmativeBased adm = new AffirmativeBased(Collections.singletonList(expressionVoter));
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.expressionHandler(handler)
+					.shouldFilterAllDispatcherTypes(false)
-					.accessDecisionManager(adm)
-					.filterSecurityInterceptorOncePerRequest(true)
 					.requestMatchers("/a", "/b").hasRole("ADMIN")
 					.anyRequest().permitAll())
 				.formLogin(withDefaults());
@@ -986,33 +947,31 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
-					.anyRequest().permitAll()
-					.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
-						@Override
-						public <O extends FilterSecurityInterceptor> O postProcess(
-								O fsi) {
-							fsi.setPublishAuthorizationSuccess(true);
-							return fsi;
-						}
-					}));
 			return http.build();
 			// @formatter:on
 		}
 
 		@Bean
-		ApplicationListener<AuthorizedEvent> applicationListener() {
+		AuthorizationEventPublisher publisher(ApplicationEventPublisher publisher) {
+			SpringAuthorizationEventPublisher authzEvents = new SpringAuthorizationEventPublisher(publisher);
+			authzEvents.setShouldPublishResult((result) -> true);
+			return authzEvents;
+		}
+
+		@Bean
+		ApplicationListener<AuthorizationEvent> applicationListener() {
 			return new AuthorizedEventApplicationListener();
 		}
 
 	}
 
-	static class AuthorizedEventApplicationListener implements ApplicationListener<AuthorizedEvent> {
+	static class AuthorizedEventApplicationListener implements ApplicationListener<AuthorizationEvent> {
 
-		static final List<AuthorizedEvent> EVENTS = new ArrayList<>();
+		static final List<AuthorizationEvent> EVENTS = new ArrayList<>();
 
 		@Override
-		public void onApplicationEvent(AuthorizedEvent event) {
+		public void onApplicationEvent(AuthorizationEvent event) {
 			EVENTS.add(event);
 		}
 
@@ -1028,14 +987,22 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 	static class UseBeansInExpressions {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
+			WebExpressionAuthorizationManager user = new WebExpressionAuthorizationManager(
+					"@permission.check(authentication,'user')");
+			DefaultHttpSecurityExpressionHandler expressionHandler = new DefaultHttpSecurityExpressionHandler();
+			expressionHandler.setApplicationContext(context);
+			user.setExpressionHandler(expressionHandler);
+			WebExpressionAuthorizationManager admin = new WebExpressionAuthorizationManager(
+					"@permission.check(authentication,'admin')");
+			admin.setExpressionHandler(expressionHandler);
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin").hasRole("ADMIN")
 					.requestMatchers("/user").hasRole("USER")
-					.requestMatchers("/allow").access("@permission.check(authentication,'user')")
+					.requestMatchers("/allow").access(user)
-					.anyRequest().access("@permission.check(authentication,'admin')"));
+					.anyRequest().access(admin));
 			return http.build();
 			// @formatter:on
 		}
@@ -1062,14 +1029,17 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			WebExpressionAuthorizationManager user = new WebExpressionAuthorizationManager("check('user')");
+			user.setExpressionHandler(expressionHandler());
+			WebExpressionAuthorizationManager admin = new WebExpressionAuthorizationManager("check('admin')");
+			admin.setExpressionHandler(expressionHandler());
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.expressionHandler(expressionHandler())
 					.requestMatchers("/admin").hasRole("ADMIN")
 					.requestMatchers("/user").hasRole("USER")
-					.requestMatchers("/allow").access("check('user')")
+					.requestMatchers("/allow").access(user)
-					.anyRequest().access("check('admin')"));
+					.anyRequest().access(admin));
 			return http.build();
 			// @formatter:on
 		}
@@ -1079,24 +1049,24 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			return new CustomExpressionHandler();
 		}
 
-		static class CustomExpressionHandler extends DefaultWebSecurityExpressionHandler {
+		static class CustomExpressionHandler extends DefaultHttpSecurityExpressionHandler {
 
 			@Override
-			protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
+			public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication,
-					FilterInvocation fi) {
+					RequestAuthorizationContext context) {
-				WebSecurityExpressionRoot root = new CustomExpressionRoot(authentication, fi);
+				StandardEvaluationContext ctx = (StandardEvaluationContext) super.createEvaluationContext(
-				root.setPermissionEvaluator(getPermissionEvaluator());
+						authentication, context);
-				root.setTrustResolver(new AuthenticationTrustResolverImpl());
+				WebSecurityExpressionRoot delegate = (WebSecurityExpressionRoot) ctx.getRootObject().getValue();
-				root.setRoleHierarchy(getRoleHierarchy());
+				ctx.setRootObject(new CustomExpressionRoot(delegate));
-				return root;
+				return ctx;
 			}
 
 		}
 
 		static class CustomExpressionRoot extends WebSecurityExpressionRoot {
 
-			CustomExpressionRoot(Authentication a, FilterInvocation fi) {
+			CustomExpressionRoot(WebSecurityExpressionRoot root) {
-				super(a, fi);
+				super(root::getAuthentication, root.request);
 			}
 
 			public boolean check(String customArg) {
@@ -1108,48 +1078,20 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	}
 
-	@Configuration(proxyBeanMethods = false)
-	@EnableWebSecurity
-	static class Sec3011Config {
-
-		static ObjectPostProcessor<Object> objectPostProcessor = spy(ReflectingObjectPostProcessor.class);
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-				http
-				.authorizeRequests((requests) -> requests
-					.anyRequest().authenticated());
-			// @formatter:on
-			return http.build();
-		}
-
-		@Bean
-		UserDetailsService userDetailsService() {
-			return new InMemoryUserDetailsManager(PasswordEncodedUser.user());
-		}
-
-		@Bean
-		static ObjectPostProcessor<Object> objectPostProcessor() {
-			return objectPostProcessor;
-		}
-
-	}
-
 	@Configuration
 	@EnableWebSecurity
 	@EnableWebMvc
 	static class PermissionEvaluatorConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, PermissionEvaluatorAuthorizations authz) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
+					.requestMatchers("/allow").access(authz.hasPermission("TESTOBJ", "PERMISSION"))
-					.requestMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
+					.requestMatchers("/allowObject").access(authz.hasPermission("TESTOBJ", "PERMISSION"))
-					.requestMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
+					.requestMatchers("/deny").access(authz.hasPermission("ID", "TYPE", "NO PERMISSION"))
-					.requestMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
+					.requestMatchers("/denyObject").access(authz.hasPermission("TESTOBJ", "NO PERMISSION"))
 					.anyRequest().permitAll());
 			return http.build();
 			// @formatter:on
@@ -1172,6 +1114,29 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			};
 		}
 
+		@Component
+		static class PermissionEvaluatorAuthorizations {
+
+			private final PermissionEvaluator permissions;
+
+			PermissionEvaluatorAuthorizations(PermissionEvaluator permissions) {
+				this.permissions = permissions;
+			}
+
+			AuthorizationManager<RequestAuthorizationContext> hasPermission(Object targetDomainObject,
+					Object permission) {
+				return (auth, request) -> new AuthorizationDecision(
+						this.permissions.hasPermission(auth.get(), targetDomainObject, permission));
+			}
+
+			AuthorizationManager<RequestAuthorizationContext> hasPermission(Serializable targetId, String targetType,
+					Object permission) {
+				return (auth, request) -> new AuthorizationDecision(
+						this.permissions.hasPermission(auth.get(), targetId, targetType, permission));
+			}
+
+		}
+
 	}
 
 	@Configuration
@@ -1183,9 +1148,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers("/allow").access("hasRole('MEMBER')")
+					.requestMatchers("/allow").hasRole("MEMBER")
-					.requestMatchers("/deny").access("hasRole('ADMIN')")
+					.requestMatchers("/deny").hasRole("ADMIN")
 					.anyRequest().permitAll());
 			return http.build();
 			// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -430,7 +430,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin((login) -> login
 					.loginPage("/login"));
@@ -453,7 +453,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.formLogin(withDefaults());
@@ -476,7 +476,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin((login) -> login
 					.permitAll());
@@ -494,7 +494,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin((login) -> login
 					.loginPage("/authenticate")
@@ -515,7 +515,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.formLogin((formLogin) -> formLogin
@@ -537,7 +537,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin((login) -> login
 					.loginProcessingUrl("/loginCheck")
@@ -569,7 +569,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.formLogin((formLogin) -> formLogin
@@ -604,7 +604,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin((login) -> login
 					.permitAll())
@@ -630,7 +630,7 @@ public class FormLoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin((login) -> login
 					.failureHandler(FAILURE_HANDLER)
@@ -673,7 +673,7 @@ public class FormLoginConfigurerTests {
 			http
 				.csrf((csrf) -> csrf
 					.disable())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin((login) -> login
 					.failureForwardUrl("/failure_forward_url")

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java

@@ -250,7 +250,7 @@ public class HttpBasicConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.httpBasic(withDefaults());
@@ -273,7 +273,7 @@ public class HttpBasicConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults());
 			// @formatter:on
@@ -297,7 +297,7 @@ public class HttpBasicConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic((basic) -> basic
 					.authenticationEntryPoint(ENTRY_POINT));
@@ -322,7 +322,7 @@ public class HttpBasicConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic((basic) -> basic
 					.authenticationEntryPoint(ENTRY_POINT))

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java

@@ -167,7 +167,7 @@ public class HttpSecurityRequestMatchersTests {
 					.requestMatchers(builder.matcher("/test-2"))
 					.requestMatchers(builder.matcher("/test-3"))
 				)
-				.authorizeRequests((authorize) -> authorize.anyRequest().denyAll())
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().denyAll())
 				.httpBasic(withDefaults());
 			// @formatter:on
 			return http.build();
@@ -180,7 +180,7 @@ public class HttpSecurityRequestMatchersTests {
 				.securityMatchers((requests) -> requests
 					.requestMatchers(builder.matcher("/test-1"))
 				)
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 					.anyRequest().permitAll()
 				);
 			// @formatter:on
@@ -213,7 +213,7 @@ public class HttpSecurityRequestMatchersTests {
 					.requestMatchers(builder.matcher("/test-1"))
 					.requestMatchers(builder.matcher("/test-2"))
 					.requestMatchers(builder.matcher("/test-3")))
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll())
 				.httpBasic(withDefaults());
 			// @formatter:on
@@ -226,7 +226,7 @@ public class HttpSecurityRequestMatchersTests {
 			http
 				.securityMatchers((security) -> security
 					.requestMatchers(builder.matcher("/test-1")))
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().permitAll());
 			// @formatter:on
 			return http.build();
@@ -255,7 +255,7 @@ public class HttpSecurityRequestMatchersTests {
 			http
 				.securityMatcher(builder.matcher("/path"))
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll());
 			// @formatter:on
 			return http.build();
@@ -290,7 +290,7 @@ public class HttpSecurityRequestMatchersTests {
 				.securityMatchers((security) -> security
 					.requestMatchers(builder.matcher("/path")))
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll());
 			// @formatter:on
 			return http.build();
@@ -326,7 +326,7 @@ public class HttpSecurityRequestMatchersTests {
 						.requestMatchers(builder.matcher("/path"))
 				)
 				.httpBasic(withDefaults())
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().denyAll()
 				);
 			return http.build();
@@ -358,7 +358,7 @@ public class HttpSecurityRequestMatchersTests {
 					.requestMatchers(builder.basePath("/spring").matcher("/path"))
 					.requestMatchers("/never-match"))
 				.httpBasic(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll());
 			// @formatter:on
 			return http.build();
@@ -395,7 +395,7 @@ public class HttpSecurityRequestMatchersTests {
 						.requestMatchers("/never-match")
 				)
 				.httpBasic(withDefaults())
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().denyAll()
 				);
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java

@@ -209,7 +209,7 @@ public class JeeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.jee((jee) -> jee
@@ -229,7 +229,7 @@ public class JeeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.jee((jee) -> jee
@@ -252,7 +252,7 @@ public class JeeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.jee((jee) -> jee

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpAnonymousTests.java

@@ -99,7 +99,7 @@ public class NamespaceHttpAnonymousTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/type").anonymous()
 					.anyRequest().denyAll());
 			return http.build();
@@ -116,8 +116,7 @@ public class NamespaceHttpAnonymousTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous())
-					.anyRequest().permitAll())
 				.anonymous((anonymous) -> anonymous.disable());
 			// @formatter:on
 			return http.build();
@@ -139,7 +138,7 @@ public class NamespaceHttpAnonymousTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/type").hasRole("ANON")
 					.anyRequest().denyAll())
 				.anonymous((anonymous) -> anonymous
@@ -159,7 +158,7 @@ public class NamespaceHttpAnonymousTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/key").anonymous()
 					.anyRequest().denyAll())
 				.anonymous((anonymous) -> anonymous.key("AnonymousKeyConfig"));
@@ -178,7 +177,7 @@ public class NamespaceHttpAnonymousTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/principal").anonymous()
 					.anyRequest().denyAll())
 				.anonymous((anonymous) -> anonymous.principal("AnonymousUsernameConfig"));

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java

@@ -183,7 +183,7 @@ public class NamespaceHttpBasicTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.httpBasic(withDefaults());
 			return http.build();
@@ -200,7 +200,7 @@ public class NamespaceHttpBasicTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.httpBasic(withDefaults());
@@ -218,7 +218,7 @@ public class NamespaceHttpBasicTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.httpBasic((basic) -> basic.realmName("Custom Realm"));
 			return http.build();
@@ -235,7 +235,7 @@ public class NamespaceHttpBasicTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.httpBasic((httpBasicConfig) -> httpBasicConfig.realmName("Custom Realm"));
@@ -302,7 +302,7 @@ public class NamespaceHttpBasicTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.httpBasic((basic) -> basic
 					.authenticationEntryPoint(this.authenticationEntryPoint));
@@ -322,7 +322,7 @@ public class NamespaceHttpBasicTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.httpBasic((httpBasicConfig) -> httpBasicConfig.authenticationEntryPoint(this.authenticationEntryPoint));

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.java

@@ -182,7 +182,7 @@ public class NamespaceHttpCustomFilterTests {
 			// @formatter:off
 			TestHttpSecurities.disableDefaults(http);
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.addFilterBefore(new CustomFilter(), UsernamePasswordAuthenticationFilter.class);
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpExpressionHandlerTests.java

@@ -37,7 +37,8 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -94,18 +95,29 @@ public class NamespaceHttpExpressionHandlerTests {
 		}
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, WebExpressionAuthorizationManager.Builder authz)
-			DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
+				throws Exception {
-			handler.setExpressionParser(expressionParser());
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.expressionHandler(handler)
+					.anyRequest().access(authz.expression("hasRole('USER')"))
-					.anyRequest().access("hasRole('USER')"));
+				);
 			// @formatter:on
 			return http.build();
 		}
 
+		@Bean
+		WebExpressionAuthorizationManager.Builder expressions(DefaultHttpSecurityExpressionHandler expressionHandler) {
+			return WebExpressionAuthorizationManager.withExpressionHandler(expressionHandler);
+		}
+
+		@Bean
+		DefaultHttpSecurityExpressionHandler expressionHandler(ExpressionParser expressionParser) {
+			DefaultHttpSecurityExpressionHandler expressionHandler = new DefaultHttpSecurityExpressionHandler();
+			expressionHandler.setExpressionParser(expressionParser);
+			return expressionHandler;
+		}
+
 		@Bean
 		ExpressionParser expressionParser() {
 			return spy(new SpelExpressionParser());

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java

@@ -125,7 +125,7 @@ public class NamespaceHttpFormLoginTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults());
 			return http.build();
@@ -143,7 +143,7 @@ public class NamespaceHttpFormLoginTests {
 			boolean alwaysUseDefaultSuccess = true;
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin((login) -> login
 					.usernameParameter("username") // form-login@username-parameter
@@ -168,7 +168,7 @@ public class NamespaceHttpFormLoginTests {
 			successHandler.setDefaultTargetUrl("/custom/targetUrl");
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin((login) -> login
 					.loginPage("/login")

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java

@@ -118,7 +118,7 @@ public class NamespaceHttpInterceptUrlTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests.requestMatchers(
+				.authorizeHttpRequests((requests) -> requests.requestMatchers(
 					// the line below is similar to intercept-url@pattern:
 					//    <intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
 					//" access="hasRole('ROLE_ADMIN')"/>

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.java

@@ -104,7 +104,7 @@ public class NamespaceHttpJeeTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("user"))
 				.jee((jee) -> jee
 					.mappableRoles("user", "admin"));
@@ -125,7 +125,7 @@ public class NamespaceHttpJeeTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("user"))
 				.jee((jee) -> jee
 					.mappableAuthorities("ROLE_user", "ROLE_admin")

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.java

@@ -70,7 +70,7 @@ public class NamespaceHttpPortMappingsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.portMapper((mapper) -> mapper
 					.http(9080).mapsTo(9443))

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpRequestCacheTests.java

@@ -88,7 +88,7 @@ public class NamespaceHttpRequestCacheTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.requestCache((cache) -> cache
 					.requestCache(requestCache()));
@@ -116,7 +116,7 @@ public class NamespaceHttpRequestCacheTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated());
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java

@@ -112,7 +112,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll())
 				.exceptionHandling((handling) -> handling
 					.accessDeniedPage("/AccessDeniedPageConfig"));
@@ -130,7 +130,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().denyAll()
 				)
 				.exceptionHandling((exceptionHandling) -> exceptionHandling.accessDeniedPage("/AccessDeniedPageConfig")
@@ -149,7 +149,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll())
 				.exceptionHandling((handling) -> handling
 					.accessDeniedHandler(accessDeniedHandler()));
@@ -174,7 +174,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().denyAll()
 				)
 				.exceptionHandling((exceptionHandling) -> exceptionHandling.accessDeniedHandler(accessDeniedHandler())

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.java

@@ -154,7 +154,7 @@ public class NamespaceHttpX509Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.x509(withDefaults());
 			// @formatter:on
@@ -182,7 +182,7 @@ public class NamespaceHttpX509Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.x509((x509) -> x509
 					.authenticationDetailsSource(authenticationDetailsSource()));
@@ -216,7 +216,7 @@ public class NamespaceHttpX509Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.x509((x509) -> x509
 					.subjectPrincipalRegex("CN=(.*?)@example.com(?:,|$)"));
@@ -245,7 +245,7 @@ public class NamespaceHttpX509Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.x509((x509) -> x509
 					.x509PrincipalExtractor(this::extractCommonName));
@@ -279,7 +279,7 @@ public class NamespaceHttpX509Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.x509((x509) -> x509
 					.userDetailsService((username) -> USER));
@@ -308,7 +308,7 @@ public class NamespaceHttpX509Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.x509((x509) -> x509
 					.authenticationUserDetailsService((authentication) -> USER));

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java

@@ -287,7 +287,7 @@ public class NamespaceRememberMeTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults())
 				.rememberMe(withDefaults());
@@ -362,7 +362,7 @@ public class NamespaceRememberMeTests {
 		SecurityFilterChain keyFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin(withDefaults())
 				.rememberMe((me) -> me
@@ -402,7 +402,7 @@ public class NamespaceRememberMeTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin(withDefaults())
 				.rememberMe((me) -> me

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java

@@ -288,7 +288,7 @@ public class NamespaceSessionManagementTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults())
 				.sessionManagement((management) -> management

config/src/test/java/org/springframework/security/config/annotation/web/configurers/PermitAllSupportTests.java

@@ -84,14 +84,6 @@ public class PermitAllSupportTests {
 					"permitAll only works with either HttpSecurity.authorizeRequests() or HttpSecurity.authorizeHttpRequests()");
 	}
 
-	@Test
-	public void configureWhenBothAuthorizeRequestsAndAuthorizeHttpRequestsThenException() {
-		assertThatExceptionOfType(BeanCreationException.class)
-			.isThrownBy(() -> this.spring.register(PermitAllConfigWithBothConfigs.class).autowire())
-			.withMessageContaining(
-					"permitAll only works with either HttpSecurity.authorizeRequests() or HttpSecurity.authorizeHttpRequests()");
-	}
-
 	@Configuration
 	@EnableWebSecurity
 	static class PermitAllConfig {
@@ -100,7 +92,7 @@ public class PermitAllSupportTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin((login) -> login
 					.loginPage("/xyz").permitAll()
@@ -130,27 +122,6 @@ public class PermitAllSupportTests {
 
 	}
 
-	@Configuration
-	@EnableWebSecurity
-	static class PermitAllConfigWithBothConfigs {
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			http
-				.authorizeRequests((requests) -> requests
-					.anyRequest().authenticated())
-				.authorizeHttpRequests((authorize) -> authorize
-					.anyRequest().authenticated())
-				.formLogin((login) -> login
-					.loginPage("/xyz").permitAll()
-					.loginProcessingUrl("/abc?def").permitAll());
-			return http.build();
-			// @formatter:on
-		}
-
-	}
-
 	@Configuration
 	@EnableWebSecurity
 	static class NoAuthorizedUrlsConfig {

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java

@@ -365,7 +365,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults())
 				.rememberMe(withDefaults());
@@ -485,7 +485,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults())
 				.rememberMe(withDefaults());
@@ -508,7 +508,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.formLogin(withDefaults())
@@ -532,7 +532,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults())
 				.rememberMe((me) -> me
@@ -556,7 +556,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().hasRole("USER")
 				)
 				.formLogin(withDefaults())
@@ -584,7 +584,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults())
 				.rememberMe((me) -> me
@@ -614,7 +614,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.formLogin(withDefaults())
 				.rememberMe((me) -> me
@@ -633,7 +633,7 @@ public class RememberMeConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authorize) -> authorize
+					.authorizeHttpRequests((authorize) -> authorize
 									.anyRequest().hasRole("USER")
 					)
 					.sessionManagement((sessionManagement) -> sessionManagement

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java

@@ -392,7 +392,7 @@ public class RequestCacheConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin(withDefaults());
 			return http.build();
@@ -428,7 +428,7 @@ public class RequestCacheConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.formLogin(withDefaults())
@@ -447,7 +447,7 @@ public class RequestCacheConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.formLogin(withDefaults())
@@ -466,7 +466,7 @@ public class RequestCacheConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.formLogin(withDefaults())

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestMatcherConfigurerTests.java

@@ -82,7 +82,7 @@ public class RequestMatcherConfigurerTests {
 					.requestMatchers(pathPattern("/api/**")))
 				.securityMatchers((security) -> security
 					.requestMatchers(pathPattern("/oauth/**")))
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll());
 			return http.build();
 			// @formatter:on
@@ -104,7 +104,7 @@ public class RequestMatcherConfigurerTests {
 				.securityMatchers((securityMatchers) -> securityMatchers
 						.requestMatchers(pathPattern("/oauth/**"))
 				)
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().denyAll()
 				);
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java

@@ -204,7 +204,7 @@ public class SecurityContextConfigurerTests {
 				.addFilter(new WebAsyncManagerIntegrationFilter())
 				.anonymous(withDefaults())
 				.securityContext(withDefaults())
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().permitAll())
 				.httpBasic(withDefaults());
 			// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java

@@ -285,7 +285,7 @@ public class ServletApiConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.exceptionHandling((handling) -> handling
 					.authenticationEntryPoint(ENTRYPOINT))

config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationsTests.java

@@ -16,31 +16,23 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
-import java.util.List;
-
-import jakarta.servlet.Filter;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.access.vote.AffirmativeBased;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
-import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
-import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -97,7 +89,7 @@ public class UrlAuthorizationsTests {
 	@WithMockUser(roles = "ADMIN")
 	public void hasAnyRoleWhenRolesSpecifiedThenMatchesRole() throws Exception {
 		this.spring.register(RoleConfig.class).autowire();
-		this.mvc.perform(get("/role-admin-user")).andExpect(status().isNotFound());
+		this.mvc.perform(get("/role-admin-user")).andExpect(status().isForbidden());
 		this.mvc.perform(get("/role-user")).andExpect(status().isForbidden());
 	}
 
@@ -113,25 +105,6 @@ public class UrlAuthorizationsTests {
 		// @formatter:on
 	}
 
-	@Test
-	public void configureWhenNoAccessDecisionManagerThenDefaultsToAffirmativeBased() {
-		this.spring.register(NoSpecificAccessDecisionManagerConfig.class).autowire();
-		FilterSecurityInterceptor interceptor = getFilter(FilterSecurityInterceptor.class);
-		assertThat(interceptor).isNotNull();
-		assertThat(interceptor).extracting("accessDecisionManager").isInstanceOf(AffirmativeBased.class);
-	}
-
-	private <T extends Filter> T getFilter(Class<T> filterType) {
-		FilterChainProxy proxy = this.spring.getContext().getBean(FilterChainProxy.class);
-		List<Filter> filters = proxy.getFilters("/");
-		for (Filter filter : filters) {
-			if (filterType.isAssignableFrom(filter.getClass())) {
-				return (T) filter;
-			}
-		}
-		return null;
-	}
-
 	@Configuration
 	@EnableWebSecurity
 	@EnableWebMvc
@@ -141,7 +114,7 @@ public class UrlAuthorizationsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
 					.requestMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
 					.requestMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
@@ -154,24 +127,4 @@ public class UrlAuthorizationsTests {
 
 	}
 
-	@Configuration
-	@EnableWebSecurity
-	@EnableWebMvc
-	static class NoSpecificAccessDecisionManagerConfig {
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
-			UrlAuthorizationConfigurer<HttpSecurity>.StandardInterceptUrlRegistry registry = http
-				.apply(new UrlAuthorizationConfigurer(context))
-				.getRegistry();
-			// @formatter:off
-			registry
-					.requestMatchers("/a").hasRole("ADMIN")
-					.anyRequest().hasRole("USER");
-			return http.build();
-			// @formatter:on
-		}
-
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java

@@ -354,7 +354,7 @@ public class OAuth2ClientConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.requestCache((cache) -> cache
 					.requestCache(requestCache))
@@ -399,7 +399,7 @@ public class OAuth2ClientConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.oauth2Client(withDefaults());

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java

@@ -900,7 +900,7 @@ public class OAuth2LoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.securityContext((context) -> context
 					.securityContextRepository(securityContextRepository()))
@@ -1353,7 +1353,7 @@ public class OAuth2LoginConfigurerTests {
 		SecurityFilterChain configureFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.securityContext((context) -> context
 					.securityContextRepository(securityContextRepository()))

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -1581,8 +1581,8 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+					.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -1601,8 +1601,8 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-						.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+						.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 						.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2) -> oauth2
@@ -1628,8 +1628,8 @@ public class OAuth2ResourceServerConfigurerTests {
 			DefaultBearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver();
 			defaultBearerTokenResolver.setAllowUriQueryParameter(true);
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+					.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.bearerTokenResolver(defaultBearerTokenResolver)
@@ -1652,8 +1652,8 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
-						.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+						.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 						.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2) -> oauth2
@@ -1679,8 +1679,8 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+					.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 					.anyRequest().authenticated())
 				.csrf((csrf) -> csrf.disable())
 				.oauth2ResourceServer((server) -> server
@@ -1699,7 +1699,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.anonymous((anonymous) -> anonymous.disable())
 				.oauth2ResourceServer((server) -> server
@@ -1719,7 +1719,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -1737,7 +1737,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer(withDefaults());
 			return http.build();
@@ -1754,7 +1754,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.authenticationEntryPoint(authenticationEntryPoint())
@@ -1779,7 +1779,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll())
 				.oauth2ResourceServer((server) -> server
 					.accessDeniedHandler(accessDeniedHandler())
@@ -1804,7 +1804,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().denyAll())
 				.exceptionHandling((handling) -> handling
 					.defaultAccessDeniedHandlerFor(new AccessDeniedHandlerImpl(), (request) -> false))
@@ -1839,7 +1839,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt((jwt) -> jwt
@@ -1863,8 +1863,8 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
-					.requestMatchers("/requires-read-scope").access("hasAuthority('message:read')"))
+					.requestMatchers("/requires-read-scope").hasAuthority("message:read"))
 				.oauth2ResourceServer((server) -> server
 					.jwt((jwt) -> jwt
 						.jwtAuthenticationConverter(getJwtAuthenticationConverter())));
@@ -1889,7 +1889,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults())
 				.oauth2ResourceServer((server) -> server
@@ -1920,7 +1920,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin(withDefaults())
 				.oauth2ResourceServer((server) -> server
@@ -1939,7 +1939,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authz) -> authz
+				.authorizeHttpRequests((authz) -> authz
 					.anyRequest().authenticated()
 				)
 				.oauth2Login(withDefaults())
@@ -1964,7 +1964,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -2000,7 +2000,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.bearerTokenResolver(allowRequestBody())
@@ -2025,7 +2025,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -2050,7 +2050,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -2085,7 +2085,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain web(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 					.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2) -> oauth2
@@ -2117,7 +2117,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt((jwt) -> jwt.decoder(decoder())));
@@ -2141,7 +2141,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2) -> oauth2
@@ -2167,7 +2167,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -2190,7 +2190,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt((jwt) -> jwt
@@ -2219,7 +2219,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 					.authenticationManager(this.defaultAuthenticationManager)
-					.authorizeRequests((authz) -> authz
+					.authorizeHttpRequests((authz) -> authz
 							.anyRequest().authenticated()
 					)
 					.oauth2ResourceServer((oauth2) -> oauth2
@@ -2328,7 +2328,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -2353,7 +2353,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -2382,7 +2382,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
@@ -2402,7 +2402,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 						.anyRequest().authenticated()
 				)
@@ -2423,7 +2423,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.opaqueToken((opaqueToken) -> opaqueToken
@@ -2447,7 +2447,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2) -> oauth2
@@ -2479,7 +2479,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 					.authenticationManager(this.defaultAuthenticationManager)
-					.authorizeRequests((authz) -> authz
+					.authorizeHttpRequests((authz) -> authz
 							.anyRequest().authenticated()
 					)
 					.oauth2ResourceServer((oauth2) -> oauth2
@@ -2526,7 +2526,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.opaqueToken((opaqueToken) -> opaqueToken
@@ -2545,7 +2545,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.jwt(Customizer.withDefaults()));
@@ -2605,7 +2605,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
 					.authenticationManagerResolver(mock(AuthenticationManagerResolver.class))
@@ -2625,7 +2625,7 @@ public class OAuth2ResourceServerConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java

@@ -520,7 +520,7 @@ public class Saml2LoginConfigurerTests {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			http.authorizeRequests((authz) -> authz.anyRequest().authenticated())
+			http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
 				.saml2Login((saml2) -> saml2.failureHandler(authenticationFailureHandler));
 			return http.build();
 		}
@@ -536,7 +536,7 @@ public class Saml2LoginConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authz) -> authz
+				.authorizeHttpRequests((authz) -> authz
 					.anyRequest().authenticated()
 				)
 				.saml2Login(Customizer.withDefaults());
@@ -574,7 +574,7 @@ public class Saml2LoginConfigurerTests {
 				throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authz) -> authz
+					.authorizeHttpRequests((authz) -> authz
 						.anyRequest().authenticated()
 					)
 					.saml2Login((saml2) -> saml2
@@ -612,7 +612,7 @@ public class Saml2LoginConfigurerTests {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			http.authorizeRequests((authz) -> authz.anyRequest().authenticated())
+			http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
 				.saml2Login((saml2) -> saml2.authenticationConverter(authenticationConverter));
 			return http.build();
 		}
@@ -651,7 +651,7 @@ public class Saml2LoginConfigurerTests {
 
 		@Bean
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-			http.authorizeRequests((authz) -> authz.anyRequest().authenticated());
+			http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated());
 			http.saml2Login(withDefaults());
 			return http.build();
 		}
@@ -672,7 +672,7 @@ public class Saml2LoginConfigurerTests {
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authz) -> authz.anyRequest().authenticated())
+				.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
 				.saml2Login((saml2) -> saml2.loginProcessingUrl("/my/custom/url"));
 			// @formatter:on
 			return http.build();
@@ -697,7 +697,7 @@ public class Saml2LoginConfigurerTests {
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authz) -> authz.anyRequest().authenticated())
+				.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
 				.saml2Login((saml2) -> saml2.authenticationRequestUri("/custom/auth/{registrationId}"));
 			// @formatter:on
 			return http.build();
@@ -731,7 +731,7 @@ public class Saml2LoginConfigurerTests {
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authz) -> authz.anyRequest().authenticated())
+					.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
 					.saml2Login((saml2) -> saml2
 						.loginProcessingUrl("/my/custom/url")
 						.authenticationConverter(AUTHENTICATION_CONVERTER)
@@ -754,7 +754,7 @@ public class Saml2LoginConfigurerTests {
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authz) -> authz.anyRequest().authenticated())
+					.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
 					.saml2Login((saml2) -> saml2.loginProcessingUrl("/my/custom/url"));
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java

@@ -562,7 +562,7 @@ public class Saml2LogoutConfigurerTests {
 		SecurityFilterChain web(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 				.logout((logout) -> logout.addLogoutHandler(this.mockLogoutHandler))
 				.saml2Login(withDefaults())
 				.saml2Logout(withDefaults());
@@ -588,7 +588,7 @@ public class Saml2LogoutConfigurerTests {
 		SecurityFilterChain web(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 				.logout((logout) -> logout.logoutSuccessHandler(this.mockLogoutSuccessHandler))
 				.saml2Login(withDefaults())
 				.saml2Logout(withDefaults())
@@ -615,7 +615,7 @@ public class Saml2LogoutConfigurerTests {
 		SecurityFilterChain web(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 				.logout((logout) -> logout.addLogoutHandler(this.mockLogoutHandler))
 				.saml2Login(withDefaults())
 				.saml2Logout((saml2) -> saml2.addObjectPostProcessor(new ObjectPostProcessor<LogoutFilter>() {
@@ -647,7 +647,7 @@ public class Saml2LogoutConfigurerTests {
 		SecurityFilterChain web(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 				.saml2Login(withDefaults())
 				.saml2Logout(withDefaults());
 			return http.build();
@@ -680,7 +680,7 @@ public class Saml2LogoutConfigurerTests {
 		SecurityFilterChain web(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 				.saml2Login(withDefaults())
 				.saml2Logout((logout) -> logout
 					.logoutRequest((request) -> request

config/src/test/java/org/springframework/security/config/core/GrantedAuthorityDefaultsJcTests.java

@@ -165,8 +165,7 @@ public class GrantedAuthorityDefaultsJcTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("USER"));
-					.anyRequest().access("hasRole('USER')"));
 			return http.build();
 			// @formatter:on
 		}

config/src/test/java/org/springframework/security/config/http/customconfigurer/CustomConfigurer.java

@@ -44,7 +44,7 @@ public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityF
 		context.getAutowireCapableBeanFactory().autowireBean(this);
 		// @formatter:off
 		http
-			.authorizeRequests((requests) -> requests
+			.authorizeHttpRequests((requests) -> requests
 				.requestMatchers(pathPattern(this.permitAllPattern)).permitAll()
 				.anyRequest().authenticated());
 		// @formatter:on

config/src/test/kotlin/org/springframework/security/config/annotation/web/AnonymousDslTests.kt

@@ -145,7 +145,7 @@ class AnonymousDslTests {
                 anonymous {
                     authorities = listOf(SimpleGrantedAuthority("TEST"))
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, hasAuthority("TEST"))
                 }
             }

config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt

@@ -57,8 +57,6 @@ import org.springframework.web.bind.annotation.PathVariable
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.servlet.config.annotation.EnableWebMvc
-import org.springframework.web.servlet.config.annotation.PathMatchConfigurer
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
 import org.springframework.web.util.WebUtils
 import java.util.function.Supplier
 
@@ -611,34 +609,6 @@ class AuthorizeHttpRequestsDslTests {
         }
     }
 
-    @Test
-    fun `request when both authorizeRequests and authorizeHttpRequests configured then exception`() {
-        assertThatThrownBy { this.spring.register(BothAuthorizeRequestsConfig::class.java).autowire() }
-            .isInstanceOf(UnsatisfiedDependencyException::class.java)
-            .hasRootCauseInstanceOf(IllegalStateException::class.java)
-            .hasMessageContaining(
-                "authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one."
-            )
-    }
-
-    @Configuration
-    @EnableWebSecurity
-    @EnableWebMvc
-    open class BothAuthorizeRequestsConfig {
-        @Bean
-        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
-            http {
-                authorizeRequests {
-                    authorize(anyRequest, permitAll)
-                }
-                authorizeHttpRequests {
-                    authorize(anyRequest, denyAll)
-                }
-            }
-            return http.build()
-        }
-    }
-
     @Test
     fun `request when shouldFilterAllDispatcherTypes and denyAll and ERROR then responds with forbidden`() {
         this.spring.register(ShouldFilterAllDispatcherTypesTrueDenyAllConfig::class.java).autowire()

config/src/test/kotlin/org/springframework/security/config/annotation/web/ExceptionHandlingDslTests.kt

@@ -67,7 +67,7 @@ class ExceptionHandlingDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 exceptionHandling { }
@@ -91,7 +91,7 @@ class ExceptionHandlingDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 exceptionHandling {
@@ -121,7 +121,7 @@ class ExceptionHandlingDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize("/admin", hasAuthority("ROLE_ADMIN"))
                     authorize(anyRequest, authenticated)
                 }
@@ -154,7 +154,7 @@ class ExceptionHandlingDslTests {
             val customAccessDeniedHandler = AccessDeniedHandlerImpl()
             customAccessDeniedHandler.setErrorPage("/access-denied")
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize("/admin", hasAuthority("ROLE_ADMIN"))
                     authorize(anyRequest, authenticated)
                 }
@@ -197,7 +197,7 @@ class ExceptionHandlingDslTests {
             customAccessDeniedHandler2.setErrorPage("/access-denied2")
             val builder = PathPatternRequestMatcher.withDefaults()
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize("/admin1", hasAuthority("ROLE_ADMIN"))
                     authorize("/admin2", hasAuthority("ROLE_ADMIN"))
                     authorize(anyRequest, authenticated)
@@ -229,7 +229,7 @@ class ExceptionHandlingDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 exceptionHandling {
@@ -267,7 +267,7 @@ class ExceptionHandlingDslTests {
             val customAuthenticationEntryPoint2 = LoginUrlAuthenticationEntryPoint("/custom-login2")
             val builder = PathPatternRequestMatcher.withDefaults();
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 exceptionHandling {

config/src/test/kotlin/org/springframework/security/config/annotation/web/FormLoginDslTests.kt

@@ -156,7 +156,7 @@ class FormLoginDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 formLogin {}
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -184,7 +184,7 @@ class FormLoginDslTests {
                 formLogin {
                     loginPage = "/log-in"
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -356,7 +356,7 @@ class FormLoginDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 formLogin {

config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpBasicDslTests.kt

@@ -94,7 +94,7 @@ class HttpBasicDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 httpBasic {}
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -121,7 +121,7 @@ class HttpBasicDslTests {
                 httpBasic {
                     realmName = "Custom Realm"
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -154,7 +154,7 @@ class HttpBasicDslTests {
                 httpBasic {
                     authenticationEntryPoint = ENTRY_POINT
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -193,7 +193,7 @@ class HttpBasicDslTests {
                 httpBasic {
                     authenticationDetailsSource = AUTHENTICATION_DETAILS_SOURCE
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }

config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt

@@ -168,7 +168,7 @@ class HttpSecurityDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 securityMatcher(RegexRequestMatcher("/path", null))
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -227,7 +227,7 @@ class HttpSecurityDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 securityMatcher("/path")
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -284,7 +284,7 @@ class HttpSecurityDslTests {
             http {
                 securityMatcher("/path1")
                 securityMatcher(RegexRequestMatcher("/path2", null))
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -337,7 +337,7 @@ class HttpSecurityDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 authenticationManager = AuthenticationManagerConfig.AUTHENTICATION_MANAGER
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 httpBasic { }

config/src/test/kotlin/org/springframework/security/config/annotation/web/LogoutDslTests.kt

@@ -179,7 +179,7 @@ class LogoutDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 logout {

config/src/test/kotlin/org/springframework/security/config/annotation/web/OAuth2ClientDslTests.kt

@@ -142,7 +142,7 @@ class OAuth2ClientDslTests {
                         accessTokenResponseClient = CLIENT
                     }
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }

config/src/test/kotlin/org/springframework/security/config/annotation/web/OAuth2ResourceServerDslTests.kt

@@ -91,7 +91,7 @@ class OAuth2ResourceServerDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -131,7 +131,7 @@ class OAuth2ResourceServerDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -187,7 +187,7 @@ class OAuth2ResourceServerDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, denyAll)
                 }
                 oauth2ResourceServer {
@@ -229,7 +229,7 @@ class OAuth2ResourceServerDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -261,7 +261,7 @@ class OAuth2ResourceServerDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {

config/src/test/kotlin/org/springframework/security/config/annotation/web/RememberMeDslTests.kt

@@ -16,11 +16,7 @@
 
 package org.springframework.security.config.annotation.web
 
-import io.mockk.every
+import io.mockk.*
-import io.mockk.justRun
-import io.mockk.mockk
-import io.mockk.mockkObject
-import io.mockk.verify
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.api.fail
@@ -396,7 +392,7 @@ internal class RememberMeDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, hasRole("USER"))
                 }
                 formLogin {}
@@ -412,7 +408,7 @@ internal class RememberMeDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, hasRole("USER"))
                 }
                 formLogin {}
@@ -483,7 +479,7 @@ internal class RememberMeDslTests {
         @Bean
         open fun securityFilterChainWithKey(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 formLogin {}

config/src/test/kotlin/org/springframework/security/config/annotation/web/SessionManagementDslTests.kt

@@ -16,11 +16,7 @@
 
 package org.springframework.security.config.annotation.web
 
-import io.mockk.every
+import io.mockk.*
-import io.mockk.justRun
-import io.mockk.mockk
-import io.mockk.mockkObject
-import io.mockk.verify
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.api.extension.ExtendWith
@@ -137,7 +133,7 @@ class SessionManagementDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 sessionManagement {
@@ -169,7 +165,7 @@ class SessionManagementDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 sessionManagement {
@@ -196,7 +192,7 @@ class SessionManagementDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 sessionManagement {
@@ -235,7 +231,7 @@ class SessionManagementDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 sessionManagement {

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/client/AuthorizationCodeGrantDslTests.kt

@@ -99,7 +99,7 @@ class AuthorizationCodeGrantDslTests {
                         authorizationRequestRepository = REQUEST_REPOSITORY
                     }
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -133,7 +133,7 @@ class AuthorizationCodeGrantDslTests {
                         authorizationRedirectStrategy = REDIRECT_STRATEGY
                     }
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -187,7 +187,7 @@ class AuthorizationCodeGrantDslTests {
                         accessTokenResponseClient = CLIENT
                     }
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }
@@ -226,7 +226,7 @@ class AuthorizationCodeGrantDslTests {
                         authorizationRequestResolver = requestResolver
                     }
                 }
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
             }

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/login/RedirectionEndpointDslTests.kt

@@ -117,7 +117,7 @@ class RedirectionEndpointDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2Login {

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/login/TokenEndpointDslTests.kt

@@ -107,7 +107,7 @@ class TokenEndpointDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2Login {

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/login/UserInfoEndpointDslTests.kt

@@ -27,10 +27,10 @@ import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
+import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.config.oauth2.client.CommonOAuth2Provider
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest
@@ -114,7 +114,7 @@ class UserInfoEndpointDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2Login {

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/JwtDslTests.kt

@@ -26,16 +26,12 @@ import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.core.convert.converter.Converter
-import org.springframework.security.authentication.AbstractAuthenticationToken
+import org.springframework.security.authentication.*
-import org.springframework.security.authentication.AuthenticationManager
-import org.springframework.security.authentication.ProviderManager
-import org.springframework.security.authentication.TestingAuthenticationProvider
-import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
+import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.Authentication
 import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames
 import org.springframework.security.oauth2.jwt.Jwt
@@ -145,7 +141,7 @@ class JwtDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -196,7 +192,7 @@ class JwtDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -245,7 +241,7 @@ class JwtDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/OpaqueTokenDslTests.kt

@@ -34,9 +34,9 @@ import org.springframework.security.authentication.ProviderManager
 import org.springframework.security.authentication.TestingAuthenticationProvider
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
+import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.Authentication
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal
 import org.springframework.security.oauth2.core.TestOAuth2AccessTokens
@@ -113,7 +113,7 @@ class OpaqueTokenDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -159,7 +159,7 @@ class OpaqueTokenDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -198,7 +198,7 @@ class OpaqueTokenDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {
@@ -242,7 +242,7 @@ class OpaqueTokenDslTests {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
-                authorizeRequests {
+                authorizeHttpRequests {
                     authorize(anyRequest, authenticated)
                 }
                 oauth2ResourceServer {

docs/modules/ROOT/pages/servlet/integrations/websocket.adoc

@@ -669,7 +669,7 @@ open class WebSecurityConfig {
                     sameOrigin = true
                 }
             }
-            authorizeRequests {
+            authorizeHttpRequests {
                 // ...
             }
             // ...

docs/modules/ROOT/pages/servlet/oauth2/client/authorization-grants.adoc

@@ -193,7 +193,7 @@ class SecurityConfig {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2Login {

docs/modules/ROOT/pages/servlet/oauth2/login/core.adoc

@@ -351,7 +351,7 @@ class OAuth2LoginSecurityConfig {
 
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2Login { }
@@ -422,7 +422,7 @@ class OAuth2LoginConfig {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2Login { }
@@ -518,7 +518,7 @@ open class OAuth2LoginConfig {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2Login { }

docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc

@@ -173,7 +173,7 @@ fun oidcLogoutHandler(): OidcBackChannelLogoutHandler {
 @Bean
 open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
-        authorizeRequests {
+        authorizeHttpRequests {
             authorize(anyRequest, authenticated)
         }
         oauth2Login { }

docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc

@@ -189,7 +189,7 @@ Kotlin::
 @Bean
 open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
-        authorizeRequests {
+        authorizeHttpRequests {
             authorize(anyRequest, authenticated)
         }
         oauth2ResourceServer {
@@ -246,7 +246,7 @@ class MyCustomSecurityConfiguration {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize("/messages/**", hasScope("message:read"))
                 authorize(anyRequest, authenticated)
             }
@@ -378,7 +378,7 @@ class DirectlyConfiguredJwkSetUri {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2ResourceServer {
@@ -448,7 +448,7 @@ class DirectlyConfiguredJwtDecoder {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2ResourceServer {
@@ -900,7 +900,7 @@ class DirectlyConfiguredJwkSetUri {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize("/contacts/**", hasScope("contacts"))
                 authorize("/messages/**", hasScope("messages"))
                 authorize(anyRequest, authenticated)
@@ -1138,7 +1138,7 @@ class CustomAuthenticationConverterConfig {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
            oauth2ResourceServer {

docs/modules/ROOT/pages/servlet/oauth2/resource-server/multitenancy.adoc

@@ -71,7 +71,7 @@ Kotlin::
 [source,kotlin,role="secondary"]
 ----
 http {
-    authorizeRequests {
+    authorizeHttpRequests {
         authorize(anyRequest, authenticated)
     }
     oauth2ResourceServer {
@@ -133,7 +133,7 @@ Kotlin::
 val customAuthenticationManagerResolver = JwtIssuerAuthenticationManagerResolver
     .fromTrustedIssuers("https://idp.example.org/issuerOne", "https://idp.example.org/issuerTwo")
 http {
-    authorizeRequests {
+    authorizeHttpRequests {
         authorize(anyRequest, authenticated)
     }
     oauth2ResourceServer {
@@ -213,7 +213,7 @@ private fun addManager(authenticationManagers: MutableMap<String, Authentication
 val customAuthenticationManagerResolver: JwtIssuerAuthenticationManagerResolver =
     JwtIssuerAuthenticationManagerResolver(authenticationManagers::get)
 http {
-    authorizeRequests {
+    authorizeHttpRequests {
         authorize(anyRequest, authenticated)
     }
     oauth2ResourceServer {

docs/modules/ROOT/pages/servlet/oauth2/resource-server/opaque-token.adoc

@@ -218,7 +218,7 @@ Kotlin::
 @Bean
 open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
-        authorizeRequests {
+        authorizeHttpRequests {
             authorize(anyRequest, authenticated)
         }
         oauth2ResourceServer {
@@ -275,7 +275,7 @@ class MyCustomSecurityConfiguration {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize("/messages/**", hasScope("SCOPE_message:read"))
                 authorize(anyRequest, authenticated)
             }
@@ -424,7 +424,7 @@ class DirectlyConfiguredIntrospectionUri {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2ResourceServer {
@@ -495,7 +495,7 @@ class DirectlyConfiguredIntrospector {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             oauth2ResourceServer {
@@ -589,7 +589,7 @@ class MappedAuthorities {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize("/contacts/**", hasScope("contacts"))
                 authorize("/messages/**", hasScope("messages"))
                 authorize(anyRequest, authenticated)

docs/modules/ROOT/pages/servlet/saml2/login/authentication.adoc

@@ -179,7 +179,7 @@ open class SecurityConfig {
                 })
         )
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             saml2Login {
@@ -300,7 +300,7 @@ open class SecurityConfig {
         val authenticationProvider = OpenSaml5AuthenticationProvider()
         authenticationProvider.setResponseAuthenticationConverter(this.authenticationConverter)
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             saml2Login {
@@ -443,7 +443,7 @@ open class SecurityConfig {
             MySaml2Authentication(userDetails, authentication) <3>
         }
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             saml2Login {
@@ -803,7 +803,7 @@ open class SecurityConfig {
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         val customAuthenticationManager: AuthenticationManager = MySaml2AuthenticationManager(...)
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize(anyRequest, authenticated)
             }
             saml2Login {

docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc

@@ -357,7 +357,7 @@ Kotlin::
 @Bean
 open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
-        authorizeRequests {
+        authorizeHttpRequests {
             authorize(anyRequest, authenticated)
         }
         saml2Login { }
@@ -404,7 +404,7 @@ class MyCustomSecurityConfiguration {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize("/messages/**", hasAuthority("ROLE_USER"))
                 authorize(anyRequest, authenticated)
             }
@@ -571,7 +571,7 @@ class MyCustomSecurityConfiguration {
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
-            authorizeRequests {
+            authorizeHttpRequests {
                 authorize("/messages/**", hasAuthority("ROLE_USER"))
                 authorize(anyRequest, authenticated)
             }

test/src/test/java/org/springframework/security/test/web/servlet/request/Sec2935Tests.java

@@ -133,7 +133,7 @@ public class Sec2935Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2ClientTests.java

@@ -181,7 +181,7 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2ClientTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authz) -> authz
+				.authorizeHttpRequests((authz) -> authz
 						.anyRequest().permitAll()
 				)
 				.oauth2Client(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2LoginTests.java

@@ -158,7 +158,7 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2LoginTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((authorize) -> authorize
+				.authorizeHttpRequests((authorize) -> authorize
 						.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
 						.anyRequest().hasAuthority("SCOPE_read")
 				).oauth2Login(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java

@@ -156,7 +156,7 @@ public class SecurityMockMvcRequestPostProcessorsOidcLoginTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
 					.anyRequest().hasAuthority("SCOPE_read"))
 				.oauth2Login(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOpaqueTokenTests.java

@@ -130,7 +130,7 @@ public class SecurityMockMvcRequestPostProcessorsOpaqueTokenTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
 					.anyRequest().hasAuthority("SCOPE_read"))
 				.oauth2ResourceServer((server) -> server

test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java

@@ -99,7 +99,7 @@ public class Gh3409Tests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/public/**").permitAll()
 					.anyRequest().authenticated())
 				.formLogin(withDefaults())

test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java

@@ -99,7 +99,7 @@ public class CustomConfigAuthenticationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.securityContext((context) -> context
 					.securityContextRepository(securityContextRepository()))

test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java

@@ -90,7 +90,7 @@ public class CustomLoginRequestBuilderAuthenticationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.formLogin((login) -> login
 					.usernameParameter("user")

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/DefaultfSecurityRequestsTests.java

@@ -98,7 +98,7 @@ public class DefaultfSecurityRequestsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/SecurityRequestsTests.java

@@ -113,7 +113,7 @@ public class SecurityRequestsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.formLogin(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserAuthenticationTests.java

@@ -98,7 +98,7 @@ public class WithUserAuthenticationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.formLogin(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserClassLevelAuthenticationTests.java

@@ -97,7 +97,7 @@ public class WithUserClassLevelAuthenticationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.httpBasic(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsAuthenticationTests.java

@@ -88,7 +88,7 @@ public class WithUserDetailsAuthenticationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.formLogin(withDefaults());

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsClassLevelAuthenticationTests.java

@@ -87,7 +87,7 @@ public class WithUserDetailsClassLevelAuthenticationTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated())
 				.formLogin(withDefaults());