Remove deprecated RequestMatcher methods from Java Configuration

Closes gh-11939

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -89,90 +89,6 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		return configurer;
 	}
 
-	/**
-	 * Maps a {@link List} of
-	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
-	 * instances.
-	 * @param method the {@link HttpMethod} to use for any {@link HttpMethod}.
-	 * @return the object that is chained after creating the {@link RequestMatcher}
-	 * @deprecated use {@link #requestMatchers(HttpMethod)} instead
-	 */
-	@Deprecated
-	public C antMatchers(HttpMethod method) {
-		return antMatchers(method, "/**");
-	}
-
-	/**
-	 * Maps a {@link List} of
-	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
-	 * instances.
-	 * @param method the {@link HttpMethod} to use or {@code null} for any
-	 * {@link HttpMethod}.
-	 * @param antPatterns the ant patterns to create. If {@code null} or empty, then
-	 * matches on nothing.
-	 * @return the object that is chained after creating the {@link RequestMatcher}
-	 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-	 */
-	@Deprecated
-	public C antMatchers(HttpMethod method, String... antPatterns) {
-		Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
-		return chainRequestMatchers(RequestMatchers.antMatchers(method, antPatterns));
-	}
-
-	/**
-	 * Maps a {@link List} of
-	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
-	 * instances that do not care which {@link HttpMethod} is used.
-	 * @param antPatterns the ant patterns to create
-	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
-	 * @return the object that is chained after creating the {@link RequestMatcher}
-	 * @deprecated use {@link #requestMatchers(String...)} instead
-	 */
-	@Deprecated
-	public C antMatchers(String... antPatterns) {
-		Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
-		return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
-	}
-
-	/**
-	 * <p>
-	 * Maps an {@link MvcRequestMatcher} that does not care which {@link HttpMethod} is
-	 * used. This matcher will use the same rules that Spring MVC uses for matching. For
-	 * example, often times a mapping of the path "/path" will match on "/path", "/path/",
-	 * "/path.html", etc.
-	 * </p>
-	 * <p>
-	 * If the current request will not be processed by Spring MVC, a reasonable default
-	 * using the pattern as a ant pattern will be used.
-	 * </p>
-	 * @param mvcPatterns the patterns to match on. The rules for matching are defined by
-	 * Spring MVC
-	 * @return the object that is chained after creating the {@link RequestMatcher}.
-	 * @deprecated use {@link #requestMatchers(String...)} instead
-	 */
-	@Deprecated
-	public abstract C mvcMatchers(String... mvcPatterns);
-
-	/**
-	 * <p>
-	 * Maps an {@link MvcRequestMatcher} that also specifies a specific {@link HttpMethod}
-	 * to match on. This matcher will use the same rules that Spring MVC uses for
-	 * matching. For example, often times a mapping of the path "/path" will match on
-	 * "/path", "/path/", "/path.html", etc.
-	 * </p>
-	 * <p>
-	 * If the current request will not be processed by Spring MVC, a reasonable default
-	 * using the pattern as a ant pattern will be used.
-	 * </p>
-	 * @param method the HTTP method to match on
-	 * @param mvcPatterns the patterns to match on. The rules for matching are defined by
-	 * Spring MVC
-	 * @return the object that is chained after creating the {@link RequestMatcher}.
-	 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-	 */
-	@Deprecated
-	public abstract C mvcMatchers(HttpMethod method, String... mvcPatterns);
-
 	/**
 	 * Creates {@link MvcRequestMatcher} instances for the method and patterns passed in
 	 * @param method the HTTP method to use or null if any should be used
@@ -201,40 +117,6 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		return matchers;
 	}
 
-	/**
-	 * Maps a {@link List} of
-	 * {@link org.springframework.security.web.util.matcher.RegexRequestMatcher}
-	 * instances.
-	 * @param method the {@link HttpMethod} to use or {@code null} for any
-	 * {@link HttpMethod}.
-	 * @param regexPatterns the regular expressions to create
-	 * {@link org.springframework.security.web.util.matcher.RegexRequestMatcher} from
-	 * @return the object that is chained after creating the {@link RequestMatcher}
-	 * @deprecated use {@link #requestMatchers(RequestMatcher...)} with a
-	 * {@link RegexRequestMatcher} instead
-	 */
-	@Deprecated
-	public C regexMatchers(HttpMethod method, String... regexPatterns) {
-		Assert.state(!this.anyRequestConfigured, "Can't configure regexMatchers after anyRequest");
-		return chainRequestMatchers(RequestMatchers.regexMatchers(method, regexPatterns));
-	}
-
-	/**
-	 * Create a {@link List} of
-	 * {@link org.springframework.security.web.util.matcher.RegexRequestMatcher} instances
-	 * that do not specify an {@link HttpMethod}.
-	 * @param regexPatterns the regular expressions to create
-	 * {@link org.springframework.security.web.util.matcher.RegexRequestMatcher} from
-	 * @return the object that is chained after creating the {@link RequestMatcher}
-	 * @deprecated use {@link #requestMatchers(RequestMatcher...)} with a
-	 * {@link RegexRequestMatcher} instead
-	 */
-	@Deprecated
-	public C regexMatchers(String... regexPatterns) {
-		Assert.state(!this.anyRequestConfigured, "Can't configure regexMatchers after anyRequest");
-		return chainRequestMatchers(RequestMatchers.regexMatchers(regexPatterns));
-	}
-
 	/**
 	 * Maps a {@link List} of
 	 * {@link org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher}

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -32,7 +32,6 @@ import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.OrderComparator;
 import org.springframework.core.Ordered;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.Customizer;
@@ -89,7 +88,6 @@ import org.springframework.security.web.session.HttpSessionEventPublisher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
-import org.springframework.security.web.util.matcher.RegexRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
@@ -587,7 +585,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
 	 * 				.permitAll().and()
 	 * 				// Example portMapper() configuration
 	 * 				.portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443);
@@ -688,7 +686,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and()
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and()
 	 * 		// Example jee() configuration
 	 * 				.jee().mappableRoles(&quot;USER&quot;, &quot;ADMIN&quot;);
 	 * 		return http.build();
@@ -763,7 +761,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.jee((jee) -&gt;
 	 * 				jee
@@ -840,7 +838,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and()
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and()
 	 * 		// Example x509() configuration
 	 * 				.x509();
 	 * 		return http.build();
@@ -873,7 +871,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.x509(withDefaults());
 	 * 		return http.build();
@@ -907,7 +905,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
 	 * 				.permitAll().and()
 	 * 				// Example Remember Me Configuration
 	 * 				.rememberMe();
@@ -952,7 +950,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
 	 * 			.rememberMe(withDefaults());
@@ -998,7 +996,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin();
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin();
 	 * 		return http.build();
 	 * 	}
 	 *
@@ -1030,8 +1028,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 		http.authorizeRequests().requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin();
+	 * 				.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin();
 	 * 		return http.build();
 	 * 	}
 	 *
@@ -1063,7 +1061,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).antMatchers(&quot;/admin/**&quot;)
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).requestMatchers(&quot;/admin/**&quot;)
 	 * 			.hasRole(&quot;ADMIN&quot;)
 	 * 		return http.build();
 	 * 	}
@@ -1072,7 +1070,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link ExpressionUrlAuthorizationConfigurer} for further customizations
 	 * @throws Exception
 	 * @deprecated Use {@link #authorizeHttpRequests()} instead
-	 * @see #requestMatcher(RequestMatcher)
 	 */
 	@Deprecated
 	public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests()
@@ -1101,7 +1098,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults());
 	 * 		return http.build();
@@ -1138,8 +1135,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 					.requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults());
 	 * 		return http.build();
@@ -1176,8 +1173,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		 http
 	 * 		 	.authorizeRequests((authorizeRequests) -&gt;
 	 * 		 		authorizeRequests
-	 * 			 		.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			 		.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			 		.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 			 		.requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
 	 * 		 	);
 	 * 		return http.build();
 	 * 	}
@@ -1188,7 +1185,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 * @deprecated Use {@link #authorizeHttpRequests} instead
-	 * @see #requestMatcher(RequestMatcher)
 	 */
 	@Deprecated
 	public HttpSecurity authorizeRequests(
@@ -1219,7 +1215,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.authorizeHttpRequests()
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 				.and()
 	 * 			.formLogin();
 	 * 		return http.build();
@@ -1255,8 +1251,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.authorizeHttpRequests()
-	 * 				.antMatchers(&quot;/admin&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 				.requestMatchers(&quot;/admin&quot;).hasRole(&quot;ADMIN&quot;)
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 				.and()
 	 * 			.formLogin();
 	 * 		return http.build();
@@ -1292,8 +1288,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.authorizeHttpRequests()
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 				.requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
 	 * 				.and()
 	 * 			.formLogin();
 	 * 		return http.build();
@@ -1303,7 +1299,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 * @since 5.6
-	 * @see #requestMatcher(RequestMatcher)
 	 */
 	public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests()
 			throws Exception {
@@ -1331,7 +1326,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
 	 * 				authorizeHttpRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults());
 	 * 		return http.build();
@@ -1368,8 +1363,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
 	 * 				authorizeHttpRequests
-	 * 					.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 					.requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults());
 	 * 		return http.build();
@@ -1406,8 +1401,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 		 	.authorizeHttpRequests((authorizeHttpRequests) -&gt;
 	 * 		 		authorizeHttpRequests
-	 * 			 		.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			 		.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			 		.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 			 		.requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
 	 * 		 	);
 	 * 		return http.build();
 	 * 	}
@@ -1418,7 +1413,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 * @since 5.5
-	 * @see #requestMatcher(RequestMatcher)
 	 */
 	public HttpSecurity authorizeHttpRequests(
 			Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer)
@@ -1463,7 +1457,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.requestCache((requestCache) -&gt;
 	 * 				requestCache.disable()
@@ -1512,7 +1506,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			// sample exception handling customization
 	 * 			.exceptionHandling((exceptionHandling) -&gt;
@@ -1695,7 +1689,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
 	 * 				.and()
 	 * 				// sample logout customization
 	 * 				.logout().deleteCookies(&quot;remove&quot;).invalidateHttpSession(false)
@@ -1744,7 +1738,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
 	 * 			// sample logout customization
@@ -1799,7 +1793,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.authorizeRequests()
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 				.and()
 	 * 			.formLogin()
 	 * 				.and()
@@ -1833,7 +1827,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.authorizeRequests()
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 				.and()
 	 * 			.formLogin()
 	 * 				.and()
@@ -1882,7 +1876,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
 	 * 			// sample anonymous customization
@@ -1919,7 +1913,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
 	 * 			// sample anonymous customization
@@ -1969,7 +1963,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin();
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin();
 	 * 		return http.build();
 	 * 	}
 	 *
@@ -1994,7 +1988,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
 	 * 				.usernameParameter(&quot;username&quot;) // default is username
 	 * 				.passwordParameter(&quot;password&quot;) // default is password
 	 * 				.loginPage(&quot;/authentication/login&quot;) // default is /login with an HTTP get
@@ -2046,7 +2040,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults());
 	 * 		return http.build();
@@ -2076,7 +2070,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin((formLogin) -&gt;
 	 * 				formLogin
@@ -2773,7 +2767,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
 	 * 				.and().requiresChannel().anyRequest().requiresSecure();
 	 * 		return http.build();
 	 * 	}
@@ -2819,7 +2813,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
 	 * 			.requiresChannel((requiresChannel) -&gt;
@@ -2869,7 +2863,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().httpBasic();
+	 * 		http.authorizeRequests().requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().httpBasic();
 	 * 		return http.build();
 	 * 	}
 	 *
@@ -2910,7 +2904,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.httpBasic(withDefaults());
 	 * 		return http.build();
@@ -2955,7 +2949,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		http
 	 * 			.authorizeRequests(authorizeRequests -&gt;
 	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.passwordManagement(passwordManagement -&gt;
 	 * 				passwordManagement
@@ -3087,291 +3081,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 		return addFilterAtOffsetOf(filter, 0, atFilter);
 	}
 
-	/**
-	 * Allows specifying which {@link HttpServletRequest} instances this
-	 * {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
-	 * {@link HttpSecurity} for multiple different {@link RequestMatcher} instances. If
-	 * only a single {@link RequestMatcher} is necessary consider using
-	 * {@link #mvcMatcher(String)}, {@link #antMatcher(String)},
-	 * {@link #regexMatcher(String)}, or {@link #requestMatcher(RequestMatcher)}.
-	 *
-	 * <p>
-	 * Invoking {@link #requestMatchers()} will not override previous invocations of
-	 * {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
-	 * {@link #requestMatcher(RequestMatcher)}.
-	 * </p>
-	 *
-	 * <h3>Example Configurations</h3>
-	 *
-	 * The following configuration enables the {@link HttpSecurity} for URLs that begin
-	 * with "/api/" or "/oauth/".
-	 *
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.requestMatchers()
-	 * 				.antMatchers(&quot;/api/**&quot;, &quot;/oauth/**&quot;)
-	 * 				.and()
-	 * 			.authorizeRequests()
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
-	 * 			.httpBasic();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	&#064;Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username(&quot;user&quot;)
-	 * 			.password(&quot;password&quot;)
-	 * 			.roles(&quot;USER&quot;)
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * </pre>
-	 *
-	 * The configuration below is the same as the previous configuration.
-	 *
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.requestMatchers()
-	 * 				.antMatchers(&quot;/api/**&quot;)
-	 * 				.antMatchers(&quot;/oauth/**&quot;)
-	 * 				.and()
-	 * 			.authorizeRequests()
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
-	 * 			.httpBasic();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	&#064;Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username(&quot;user&quot;)
-	 * 			.password(&quot;password&quot;)
-	 * 			.roles(&quot;USER&quot;)
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * </pre>
-	 *
-	 * The configuration below is also the same as the above configuration.
-	 *
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.requestMatchers()
-	 * 				.antMatchers(&quot;/api/**&quot;)
-	 * 				.and()
-	 *			 .requestMatchers()
-	 * 				.antMatchers(&quot;/oauth/**&quot;)
-	 * 				.and()
-	 * 			.authorizeRequests()
-	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
-	 * 			.httpBasic();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	&#064;Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username(&quot;user&quot;)
-	 * 			.password(&quot;password&quot;)
-	 * 			.roles(&quot;USER&quot;)
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * </pre>
-	 * @return the {@link RequestMatcherConfigurer} for further customizations
-	 * @deprecated use {@link #securityMatchers()} instead
-	 */
-	@Deprecated
-	public RequestMatcherConfigurer requestMatchers() {
-		return this.requestMatcherConfigurer;
-	}
-
-	/**
-	 * Allows specifying which {@link HttpServletRequest} instances this
-	 * {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
-	 * {@link HttpSecurity} for multiple different {@link RequestMatcher} instances. If
-	 * only a single {@link RequestMatcher} is necessary consider using
-	 * {@link #mvcMatcher(String)}, {@link #antMatcher(String)},
-	 * {@link #regexMatcher(String)}, or {@link #requestMatcher(RequestMatcher)}.
-	 *
-	 * <p>
-	 * Invoking {@link #requestMatchers()} will not override previous invocations of
-	 * {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
-	 * {@link #requestMatcher(RequestMatcher)}.
-	 * </p>
-	 *
-	 * <h3>Example Configurations</h3>
-	 *
-	 * The following configuration enables the {@link HttpSecurity} for URLs that begin
-	 * with "/api/" or "/oauth/".
-	 *
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.requestMatchers((requestMatchers) -&gt;
-	 * 				requestMatchers
-	 * 					.antMatchers(&quot;/api/**&quot;, &quot;/oauth/**&quot;)
-	 * 			)
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	&#064;Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username(&quot;user&quot;)
-	 * 			.password(&quot;password&quot;)
-	 * 			.roles(&quot;USER&quot;)
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * </pre>
-	 *
-	 * The configuration below is the same as the previous configuration.
-	 *
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.requestMatchers((requestMatchers) -&gt;
-	 * 				requestMatchers
-	 * 					.antMatchers(&quot;/api/**&quot;)
-	 * 					.antMatchers(&quot;/oauth/**&quot;)
-	 * 			)
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	&#064;Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username(&quot;user&quot;)
-	 * 			.password(&quot;password&quot;)
-	 * 			.roles(&quot;USER&quot;)
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * </pre>
-	 *
-	 * The configuration below is also the same as the above configuration.
-	 *
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.requestMatchers((requestMatchers) -&gt;
-	 * 				requestMatchers
-	 * 					.antMatchers(&quot;/api/**&quot;)
-	 * 			)
-	 *			.requestMatchers((requestMatchers) -&gt;
-	 *			requestMatchers
-	 * 				.antMatchers(&quot;/oauth/**&quot;)
-	 * 			)
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	&#064;Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username(&quot;user&quot;)
-	 * 			.password(&quot;password&quot;)
-	 * 			.roles(&quot;USER&quot;)
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * </pre>
-	 * @param requestMatcherCustomizer the {@link Customizer} to provide more options for
-	 * the {@link RequestMatcherConfigurer}
-	 * @return the {@link HttpSecurity} for further customizations
-	 * @deprecated use {@link #securityMatchers(Customizer)} instead
-	 */
-	@Deprecated
-	public HttpSecurity requestMatchers(Customizer<RequestMatcherConfigurer> requestMatcherCustomizer) {
-		requestMatcherCustomizer.customize(this.requestMatcherConfigurer);
-		return HttpSecurity.this;
-	}
-
-	/**
-	 * Allows configuring the {@link HttpSecurity} to only be invoked when matching the
-	 * provided {@link RequestMatcher}. If more advanced configuration is necessary,
-	 * consider using {@link #requestMatchers()}.
-	 *
-	 * <p>
-	 * Invoking {@link #requestMatcher(RequestMatcher)} will override previous invocations
-	 * of {@link #requestMatchers()}, {@link #mvcMatcher(String)},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
-	 * {@link #requestMatcher(RequestMatcher)}.
-	 * </p>
-	 * @param requestMatcher the {@link RequestMatcher} to use (i.e. new
-	 * AntPathRequestMatcher("/admin/**","GET") )
-	 * @return the {@link HttpSecurity} for further customizations
-	 * @deprecated use {@link #securityMatcher(RequestMatcher)} instead
-	 * @see #requestMatchers()
-	 * @see #antMatcher(String)
-	 * @see #regexMatcher(String)
-	 */
-	@Deprecated
-	public HttpSecurity requestMatcher(RequestMatcher requestMatcher) {
-		this.requestMatcher = requestMatcher;
-		return this;
-	}
-
 	/**
 	 * Allows specifying which {@link HttpServletRequest} instances this
 	 * {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
@@ -3624,10 +3333,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * <p>
 	 * Invoking {@link #securityMatcher(RequestMatcher)} will override previous
-	 * invocations of {@link #requestMatchers()}, {@link #mvcMatcher(String)},
+	 * invocations of {@link #securityMatcher(RequestMatcher)},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)},
+	 * {@link #securityMatcher(String...)}, {@link #securityMatchers(Customizer)} and
-	 * {@link #requestMatcher(RequestMatcher)}, {@link #securityMatchers(Customizer)},
+	 * {@link #securityMatchers()}
-	 * {@link #securityMatchers()} and {@link #securityMatcher(String...)}
 	 * </p>
 	 * @param requestMatcher the {@link RequestMatcher} to use (i.e. new
 	 * AntPathRequestMatcher("/admin/**","GET") )
@@ -3648,9 +3356,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * <p>
 	 * Invoking {@link #securityMatcher(String...)} will override previous invocations of
-	 * {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
+	 * {@link #securityMatcher(String...)} (String)}},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
+	 * {@link #securityMatcher(RequestMatcher)} ()}, {@link #securityMatchers(Customizer)}
-	 * {@link #requestMatcher(RequestMatcher)}.
+	 * (String)} and {@link #securityMatchers()} (String)}.
 	 * </p>
 	 * @param patterns the pattern to match on (i.e. "/admin/**")
 	 * @return the {@link HttpSecurity} for further customizations
@@ -3692,72 +3400,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 		return matchers;
 	}
 
-	/**
-	 * Allows configuring the {@link HttpSecurity} to only be invoked when matching the
-	 * provided ant pattern. If more advanced configuration is necessary, consider using
-	 * {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
-	 *
-	 * <p>
-	 * Invoking {@link #antMatcher(String)} will override previous invocations of
-	 * {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
-	 * {@link #requestMatcher(RequestMatcher)}.
-	 * </p>
-	 * @param antPattern the Ant Pattern to match on (i.e. "/admin/**")
-	 * @return the {@link HttpSecurity} for further customizations
-	 * @deprecated use {@link #securityMatcher(String...)} instead
-	 * @see AntPathRequestMatcher
-	 */
-	@Deprecated
-	public HttpSecurity antMatcher(String antPattern) {
-		return requestMatcher(new AntPathRequestMatcher(antPattern));
-	}
-
-	/**
-	 * Allows configuring the {@link HttpSecurity} to only be invoked when matching the
-	 * provided Spring MVC pattern. If more advanced configuration is necessary, consider
-	 * using {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
-	 *
-	 * <p>
-	 * Invoking {@link #mvcMatcher(String)} will override previous invocations of
-	 * {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
-	 * {@link #requestMatcher(RequestMatcher)}.
-	 * </p>
-	 * @param mvcPattern the Spring MVC Pattern to match on (i.e. "/admin/**")
-	 * @return the {@link HttpSecurity} for further customizations
-	 * @deprecated use {@link #securityMatcher(String...)} instead
-	 * @see MvcRequestMatcher
-	 */
-	@Deprecated
-	public HttpSecurity mvcMatcher(String mvcPattern) {
-		HandlerMappingIntrospector introspector = new HandlerMappingIntrospector();
-		introspector.setApplicationContext(getContext());
-		introspector.afterPropertiesSet();
-		return requestMatcher(new MvcRequestMatcher(introspector, mvcPattern));
-	}
-
-	/**
-	 * Allows configuring the {@link HttpSecurity} to only be invoked when matching the
-	 * provided regex pattern. If more advanced configuration is necessary, consider using
-	 * {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
-	 *
-	 * <p>
-	 * Invoking {@link #regexMatcher(String)} will override previous invocations of
-	 * {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
-	 * {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
-	 * {@link #requestMatcher(RequestMatcher)}.
-	 * </p>
-	 * @param pattern the Regular Expression to match on (i.e. "/admin/.+")
-	 * @return the {@link HttpSecurity} for further customizations
-	 * @deprecated use {@link #securityMatcher(RequestMatcher)} with a
-	 * {@link RegexRequestMatcher} instead
-	 */
-	@Deprecated
-	public HttpSecurity regexMatcher(String pattern) {
-		return requestMatcher(new RegexRequestMatcher(pattern, null));
-	}
-
 	/**
 	 * If the {@link SecurityConfigurer} has already been specified get the original,
 	 * otherwise apply the new {@link SecurityConfigurerAdapter}.
@@ -3776,40 +3418,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 		return apply(configurer);
 	}
 
-	/**
-	 * An extension to {@link RequestMatcherConfigurer} that allows optionally configuring
-	 * the servlet path.
-	 *
-	 * @author Rob Winch
-	 */
-	public final class MvcMatchersRequestMatcherConfigurer extends RequestMatcherConfigurer {
-
-		private final List<MvcRequestMatcher> mvcMatchers;
-
-		/**
-		 * Creates a new instance
-		 * @param context the {@link ApplicationContext} to use
-		 * @param mvcMatchers the {@link MvcRequestMatcher} instances to set the servlet
-		 * path on if {@link #servletPath(String)} is set.
-		 * @param allMatchers the {@link RequestMatcher} instances to continue the
-		 * configuration
-		 */
-		private MvcMatchersRequestMatcherConfigurer(ApplicationContext context, List<MvcRequestMatcher> mvcMatchers,
-				List<RequestMatcher> allMatchers) {
-			super(context);
-			this.mvcMatchers = new ArrayList<>(mvcMatchers);
-			this.matchers = allMatchers;
-		}
-
-		public RequestMatcherConfigurer servletPath(String servletPath) {
-			for (MvcRequestMatcher matcher : this.mvcMatchers) {
-				matcher.setServletPath(servletPath);
-			}
-			return this;
-		}
-
-	}
-
 	/**
 	 * Allows mapping HTTP requests that this {@link HttpSecurity} will be used for
 	 *
@@ -3824,26 +3432,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 			setApplicationContext(context);
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersRequestMatcherConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
-			setMatchers(mvcMatchers);
-			return new MvcMatchersRequestMatcherConfigurer(getContext(), mvcMatchers, this.matchers);
-		}
-
-		/**
-		 * @deprecated use {@link #requestMatchers(String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersRequestMatcherConfigurer mvcMatchers(String... patterns) {
-			return mvcMatchers(null, patterns);
-		}
-
 		@Override
 		protected RequestMatcherConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			setMatchers(requestMatchers);

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -29,7 +29,6 @@ import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -58,7 +57,6 @@ import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
-import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
 import org.springframework.util.Assert;
@@ -375,32 +373,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		this.servletContext = servletContext;
 	}
 
-	/**
-	 * An {@link IgnoredRequestConfigurer} that allows optionally configuring the
-	 * {@link MvcRequestMatcher#setMethod(HttpMethod)}
-	 *
-	 * @author Rob Winch
-	 * @deprecated use {@link MvcRequestMatcher.Builder} instead
-	 */
-	@Deprecated
-	public final class MvcMatchersIgnoredRequestConfigurer extends IgnoredRequestConfigurer {
-
-		private final List<MvcRequestMatcher> mvcMatchers;
-
-		private MvcMatchersIgnoredRequestConfigurer(ApplicationContext context, List<MvcRequestMatcher> mvcMatchers) {
-			super(context);
-			this.mvcMatchers = mvcMatchers;
-		}
-
-		public IgnoredRequestConfigurer servletPath(String servletPath) {
-			for (MvcRequestMatcher matcher : this.mvcMatchers) {
-				matcher.setServletPath(servletPath);
-			}
-			return this;
-		}
-
-	}
-
 	/**
 	 * Allows registering {@link RequestMatcher} instances that should be ignored by
 	 * Spring Security.
@@ -414,26 +386,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 			setApplicationContext(context);
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
-			WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
-			return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
-		}
-
-		/**
-		 * @deprecated use {@link #requestMatchers(String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersIgnoredRequestConfigurer mvcMatchers(String... mvcPatterns) {
-			return mvcMatchers(null, mvcPatterns);
-		}
-
 		@Override
 		protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			WebSecurity.this.ignoredRequests.addAll(requestMatchers);

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityCustomizer.java

@@ -29,7 +29,7 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity;
  * <pre>
  * &#064;Bean
  * public WebSecurityCustomizer ignoringCustomizer() {
- * 	return (web) -&gt; web.ignoring().antMatchers("/ignore1", "/ignore2");
+ * 	return (web) -&gt; web.ignoring().requestMatchers("/ignore1", "/ignore2");
  * }
  * </pre>
  *

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -21,7 +21,6 @@ import java.util.List;
 import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.context.ApplicationContext;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
 import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
@@ -34,7 +33,6 @@ import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
-import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
 import org.springframework.util.Assert;
@@ -146,24 +144,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 			return postProcess(this.managerBuilder.build());
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersAuthorizedUrl mvcMatchers(String... mvcPatterns) {
-			return mvcMatchers(null, mvcPatterns);
-		}
-
-		/**
-		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersAuthorizedUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			return new MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));
-		}
-
 		@Override
 		protected AuthorizedUrl chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			this.unmappedMatchers = requestMatchers;
@@ -205,35 +185,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 
 	}
 
-	/**
-	 * An {@link AuthorizeHttpRequestsConfigurer.AuthorizedUrl} that allows optionally
-	 * configuring the {@link MvcRequestMatcher#setServletPath(String)}.
-	 *
-	 * @author Evgeniy Cheban
-	 * @deprecated use {@link MvcRequestMatcher.Builder} instead
-	 */
-	@Deprecated
-	public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
-
-		private MvcMatchersAuthorizedUrl(List<MvcRequestMatcher> matchers) {
-			super(matchers);
-		}
-
-		/**
-		 * Configures <code>servletPath</code> to {@link MvcRequestMatcher}s.
-		 * @param servletPath the servlet path
-		 * @return the {@link MvcMatchersAuthorizedUrl} for further customizations
-		 */
-		@SuppressWarnings("unchecked")
-		public MvcMatchersAuthorizedUrl servletPath(String servletPath) {
-			for (MvcRequestMatcher matcher : (List<MvcRequestMatcher>) getMatchers()) {
-				matcher.setServletPath(servletPath);
-			}
-			return this;
-		}
-
-	}
-
 	/**
 	 * An object that allows configuring the {@link AuthorizationManager} for
 	 * {@link RequestMatcher}s.

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java

@@ -22,7 +22,6 @@ import java.util.LinkedHashMap;
 import java.util.List;
 
 import org.springframework.context.ApplicationContext;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
@@ -41,7 +40,6 @@ import org.springframework.security.web.access.channel.RetryWithHttpEntryPoint;
 import org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint;
 import org.springframework.security.web.access.channel.SecureChannelProcessor;
 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
-import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
@@ -155,25 +153,6 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 			setApplicationContext(context);
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersRequiresChannelUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
-			return new MvcMatchersRequiresChannelUrl(mvcMatchers);
-		}
-
-		/**
-		 * @deprecated use {@link #requestMatchers(String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersRequiresChannelUrl mvcMatchers(String... patterns) {
-			return mvcMatchers(null, patterns);
-		}
-
 		@Override
 		protected RequiresChannelUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
 			return new RequiresChannelUrl(requestMatchers);
@@ -222,21 +201,6 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
-	public final class MvcMatchersRequiresChannelUrl extends RequiresChannelUrl {
-
-		private MvcMatchersRequiresChannelUrl(List<MvcRequestMatcher> matchers) {
-			super(matchers);
-		}
-
-		public RequiresChannelUrl servletPath(String servletPath) {
-			for (RequestMatcher matcher : this.requestMatchers) {
-				((MvcRequestMatcher) matcher).setServletPath(servletPath);
-			}
-			return this;
-		}
-
-	}
-
 	public class RequiresChannelUrl {
 
 		protected List<? extends RequestMatcher> requestMatchers;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java

@@ -23,7 +23,6 @@ import java.util.List;
 import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.context.ApplicationContext;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@@ -40,7 +39,6 @@ import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
-import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
 import org.springframework.security.web.session.InvalidSessionStrategy;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
@@ -139,37 +137,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}
 
-	/**
-	 * <p>
-	 * Allows specifying {@link HttpServletRequest} that should not use CSRF Protection
-	 * even if they match the {@link #requireCsrfProtectionMatcher(RequestMatcher)}.
-	 * </p>
-	 *
-	 * <p>
-	 * For example, the following configuration will ensure CSRF protection ignores:
-	 * </p>
-	 * <ul>
-	 * <li>Any GET, HEAD, TRACE, OPTIONS (this is the default)</li>
-	 * <li>We also explicitly state to ignore any request that starts with "/sockjs/"</li>
-	 * </ul>
-	 *
-	 * <pre>
-	 * http
-	 *     .csrf()
-	 *         .ignoringAntMatchers("/sockjs/**")
-	 *         .and()
-	 *     ...
-	 * </pre>
-	 *
-	 * @since 4.0
-	 * @deprecated use {@link #ignoringRequestMatchers(RequestMatcher...)} with an
-	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} instead
-	 */
-	@Deprecated
-	public CsrfConfigurer<H> ignoringAntMatchers(String... antPatterns) {
-		return new IgnoreCsrfProtectionRegistry(this.context).antMatchers(antPatterns).and();
-	}
-
 	/**
 	 * <p>
 	 * Allows specifying {@link HttpServletRequest}s that should not use CSRF Protection
@@ -378,26 +345,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 			setApplicationContext(context);
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersIgnoreCsrfProtectionRegistry mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
-			CsrfConfigurer.this.ignoredCsrfProtectionMatchers.addAll(mvcMatchers);
-			return new MvcMatchersIgnoreCsrfProtectionRegistry(getApplicationContext(), mvcMatchers);
-		}
-
-		/**
-		 * @deprecated use {@link #requestMatchers(String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersIgnoreCsrfProtectionRegistry mvcMatchers(String... mvcPatterns) {
-			return mvcMatchers(null, mvcPatterns);
-		}
-
 		CsrfConfigurer<H> and() {
 			return CsrfConfigurer.this;
 		}
@@ -410,29 +357,4 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
-	/**
-	 * An {@link IgnoreCsrfProtectionRegistry} that allows optionally configuring the
-	 * {@link MvcRequestMatcher#setMethod(HttpMethod)}
-	 *
-	 * @author Rob Winch
-	 */
-	private final class MvcMatchersIgnoreCsrfProtectionRegistry extends IgnoreCsrfProtectionRegistry {
-
-		private final List<MvcRequestMatcher> mvcMatchers;
-
-		private MvcMatchersIgnoreCsrfProtectionRegistry(ApplicationContext context,
-				List<MvcRequestMatcher> mvcMatchers) {
-			super(context);
-			this.mvcMatchers = mvcMatchers;
-		}
-
-		IgnoreCsrfProtectionRegistry servletPath(String servletPath) {
-			for (MvcRequestMatcher matcher : this.mvcMatchers) {
-				matcher.setServletPath(servletPath);
-			}
-			return this;
-		}
-
-	}
-
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java

@@ -22,7 +22,6 @@ import java.util.LinkedHashMap;
 import java.util.List;
 
 import org.springframework.context.ApplicationContext;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.PermissionEvaluator;
@@ -38,7 +37,6 @@ import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.access.expression.WebExpressionVoter;
-import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -222,24 +220,6 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 			setApplicationContext(context);
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersAuthorizedUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			return new MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));
-		}
-
-		/**
-		 * @deprecated use {@link #requestMatchers(String...)} instead
-		 */
-		@Override
-		@Deprecated
-		public MvcMatchersAuthorizedUrl mvcMatchers(String... patterns) {
-			return mvcMatchers(null, patterns);
-		}
-
 		@Override
 		protected AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
 			return new AuthorizedUrl(requestMatchers);
@@ -275,31 +255,6 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 
 	}
 
-	/**
-	 * An {@link AuthorizedUrl} that allows optionally configuring the
-	 * {@link MvcRequestMatcher#setMethod(HttpMethod)}
-	 *
-	 * @author Rob Winch
-	 */
-	public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
-
-		/**
-		 * Creates a new instance
-		 * @param requestMatchers the {@link RequestMatcher} instances to map
-		 */
-		private MvcMatchersAuthorizedUrl(List<MvcRequestMatcher> requestMatchers) {
-			super(requestMatchers);
-		}
-
-		public AuthorizedUrl servletPath(String servletPath) {
-			for (MvcRequestMatcher matcher : (List<MvcRequestMatcher>) getMatchers()) {
-				matcher.setServletPath(servletPath);
-			}
-			return this;
-		}
-
-	}
-
 	public class AuthorizedUrl {
 
 		private List<? extends RequestMatcher> requestMatchers;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java

@@ -32,7 +32,6 @@ import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
-import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
@@ -51,8 +50,8 @@ import org.springframework.util.Assert;
  * <pre>
  * protected void configure(HttpSecurity http) throws Exception {
  * 	http.apply(new UrlAuthorizationConfigurer&lt;HttpSecurity&gt;()).getRegistry()
- * 			.antMatchers(&quot;/users**&quot;, &quot;/sessions/**&quot;).hasRole(&quot;USER&quot;)
+ * 			.requestMatchers(&quot;/users**&quot;, &quot;/sessions/**&quot;).hasRole(&quot;USER&quot;)
- * 			.antMatchers(&quot;/signup&quot;).hasRole(&quot;ANONYMOUS&quot;).anyRequest().hasRole(&quot;USER&quot;);
+ * 			.requestMatchers(&quot;/signup&quot;).hasRole(&quot;ANONYMOUS&quot;).anyRequest().hasRole(&quot;USER&quot;);
  * }
  * </pre>
  *
@@ -202,22 +201,24 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 			setApplicationContext(context);
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
-		 */
 		@Override
-		@Deprecated
+		public AuthorizedUrl requestMatchers(String... patterns) {
-		public MvcMatchersAuthorizedUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
+			return super.requestMatchers(patterns);
-			return new MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));
 		}
 
-		/**
-		 * @deprecated use {@link #requestMatchers(String...)} instead
-		 */
 		@Override
-		@Deprecated
+		public AuthorizedUrl requestMatchers(HttpMethod method, String... patterns) {
-		public MvcMatchersAuthorizedUrl mvcMatchers(String... patterns) {
+			return super.requestMatchers(method, patterns);
-			return mvcMatchers(null, patterns);
+		}
+
+		@Override
+		public AuthorizedUrl requestMatchers(HttpMethod method) {
+			return super.requestMatchers(method);
+		}
+
+		@Override
+		public AuthorizedUrl requestMatchers(RequestMatcher... requestMatchers) {
+			return super.requestMatchers(requestMatchers);
 		}
 
 		@Override
@@ -242,32 +243,6 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
-	/**
-	 * An {@link AuthorizedUrl} that allows optionally configuring the
-	 * {@link MvcRequestMatcher#setMethod(HttpMethod)}
-	 *
-	 * @author Rob Winch
-	 */
-	public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
-
-		/**
-		 * Creates a new instance
-		 * @param requestMatchers the {@link RequestMatcher} instances to map
-		 */
-		private MvcMatchersAuthorizedUrl(List<MvcRequestMatcher> requestMatchers) {
-			super(requestMatchers);
-		}
-
-		@SuppressWarnings("unchecked")
-		public AuthorizedUrl servletPath(String servletPath) {
-			for (MvcRequestMatcher matcher : (List<MvcRequestMatcher>) getMatchers()) {
-				matcher.setServletPath(servletPath);
-			}
-			return this;
-		}
-
-	}
-
 	/**
 	 * Maps the specified {@link RequestMatcher} instances to {@link ConfigAttribute}
 	 * instances.

config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt

@@ -26,9 +26,11 @@ import org.springframework.security.config.annotation.web.configurers.AuthorizeH
 import org.springframework.security.core.Authentication
 import org.springframework.security.web.access.intercept.AuthorizationFilter
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher
 import org.springframework.security.web.util.matcher.AnyRequestMatcher
 import org.springframework.security.web.util.matcher.RequestMatcher
 import org.springframework.util.ClassUtils
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector
 import java.util.function.Supplier
 
 /**
@@ -43,6 +45,7 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
 
     private val authorizationRules = mutableListOf<AuthorizationManagerRule>()
 
+    private val HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector"
     private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
     private val MVC_PRESENT = ClassUtils.isPresent(
         HANDLER_MAPPING_INTROSPECTOR,
@@ -244,10 +247,15 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
                     is MatcherAuthorizationManagerRule -> requests.requestMatchers(rule.matcher).access(rule.rule)
                     is PatternAuthorizationManagerRule -> {
                         when (rule.patternType) {
-                            PatternType.ANT -> requests.antMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
+                            PatternType.ANT -> requests.requestMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
-                            PatternType.MVC -> requests.mvcMatchers(rule.httpMethod, rule.pattern)
+                            PatternType.MVC -> {
-                                .apply { if (rule.servletPath != null) servletPath(rule.servletPath) }
+                                val introspector = requests.applicationContext.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector::class.java)
-                                .access(rule.rule)
+                                val mvcMatcher = MvcRequestMatcher.Builder(introspector)
+                                    .servletPath(rule.servletPath)
+                                    .pattern(rule.pattern)
+                                mvcMatcher.setMethod(rule.httpMethod)
+                                requests.requestMatchers(mvcMatcher).access(rule.rule)
+                            }
                         }
                     }
                 }

config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeRequestsDsl.kt

@@ -19,9 +19,11 @@ package org.springframework.security.config.annotation.web
 import org.springframework.http.HttpMethod
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher
 import org.springframework.security.web.util.matcher.AnyRequestMatcher
 import org.springframework.security.web.util.matcher.RequestMatcher
 import org.springframework.util.ClassUtils
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector
 
 /**
  * A Kotlin DSL to configure [HttpSecurity] request authorization using idiomatic Kotlin code.
@@ -32,6 +34,7 @@ import org.springframework.util.ClassUtils
 class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
     private val authorizationRules = mutableListOf<AuthorizationRule>()
 
+    private val HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector"
     private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
     private val MVC_PRESENT = ClassUtils.isPresent(
             HANDLER_MAPPING_INTROSPECTOR,
@@ -224,10 +227,15 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
                     is MatcherAuthorizationRule -> requests.requestMatchers(rule.matcher).access(rule.rule)
                     is PatternAuthorizationRule -> {
                         when (rule.patternType) {
-                            PatternType.ANT -> requests.antMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
+                            PatternType.ANT -> requests.requestMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
-                            PatternType.MVC -> requests.mvcMatchers(rule.httpMethod, rule.pattern)
+                            PatternType.MVC -> {
-                                .apply { if(rule.servletPath != null) servletPath(rule.servletPath) }
+                                val introspector = requests.applicationContext.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector::class.java)
-                                .access(rule.rule)
+                                val mvcMatcher = MvcRequestMatcher.Builder(introspector)
+                                    .servletPath(rule.servletPath)
+                                    .pattern(rule.pattern)
+                                mvcMatcher.setMethod(rule.httpMethod)
+                                requests.requestMatchers(mvcMatcher).access(rule.rule)
+                            }
                         }
                     }
                 }

config/src/main/kotlin/org/springframework/security/config/annotation/web/CsrfDsl.kt

@@ -16,13 +16,13 @@
 
 package org.springframework.security.config.annotation.web
 
+import jakarta.servlet.http.HttpServletRequest
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
 import org.springframework.security.web.csrf.CsrfTokenRepository
 import org.springframework.security.web.csrf.CsrfTokenRequestHandler
 import org.springframework.security.web.util.matcher.RequestMatcher
-import jakarta.servlet.http.HttpServletRequest
 
 /**
  * A Kotlin DSL to configure [HttpSecurity] CSRF protection
@@ -42,23 +42,10 @@ class CsrfDsl {
     var sessionAuthenticationStrategy: SessionAuthenticationStrategy? = null
     var csrfTokenRequestHandler: CsrfTokenRequestHandler? = null
 
-    private var ignoringAntMatchers: Array<out String>? = null
     private var ignoringRequestMatchers: Array<out RequestMatcher>? = null
     private var ignoringRequestMatchersPatterns: Array<out String>? = null
     private var disabled = false
 
-    /**
-     * Allows specifying [HttpServletRequest]s that should not use CSRF Protection
-     * even if they match the [requireCsrfProtectionMatcher].
-     *
-     * @param antMatchers the ANT pattern matchers that should not use CSRF
-     * protection
-     */
-    @Deprecated("Use ignoringRequestMatchers instead")
-    fun ignoringAntMatchers(vararg antMatchers: String) {
-        ignoringAntMatchers = antMatchers
-    }
-
     /**
      * Allows specifying [HttpServletRequest]s that should not use CSRF Protection
      * even if they match the [requireCsrfProtectionMatcher].
@@ -93,7 +80,6 @@ class CsrfDsl {
             requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
             sessionAuthenticationStrategy?.also { csrf.sessionAuthenticationStrategy(sessionAuthenticationStrategy) }
             csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
-            ignoringAntMatchers?.also { csrf.ignoringAntMatchers(*ignoringAntMatchers!!) }
             ignoringRequestMatchers?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchers!!) }
             ignoringRequestMatchersPatterns?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchersPatterns!!) }
             if (disabled) {

config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt

@@ -137,18 +137,8 @@ class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecu
      * configuration should be invoked.
      */
     fun securityMatcher(vararg pattern: String) {
-        val mvcPresent = ClassUtils.isPresent(
+        this.http.securityMatchers {
-                HANDLER_MAPPING_INTROSPECTOR,
+            it.requestMatchers(*pattern)
-                AuthorizeRequestsDsl::class.java.classLoader) ||
-                ClassUtils.isPresent(
-                    HANDLER_MAPPING_INTROSPECTOR,
-                    AuthorizeHttpRequestsDsl::class.java.classLoader)
-        this.http.requestMatchers {
-            if (mvcPresent) {
-                it.mvcMatchers(*pattern)
-            } else {
-                it.antMatchers(*pattern)
-            }
         }
     }
 
@@ -180,7 +170,7 @@ class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecu
      * this configuration should be invoked.
      */
     fun securityMatcher(vararg requestMatcher: RequestMatcher) {
-        this.http.requestMatchers {
+        this.http.securityMatchers {
             it.requestMatchers(*requestMatcher)
         }
     }

config/src/main/kotlin/org/springframework/security/config/annotation/web/RequiresChannelDsl.kt

@@ -20,9 +20,11 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer
 import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl
 import org.springframework.security.web.access.channel.ChannelProcessor
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher
 import org.springframework.security.web.util.matcher.AnyRequestMatcher
 import org.springframework.security.web.util.matcher.RequestMatcher
 import org.springframework.util.ClassUtils
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector
 
 /**
  * A Kotlin DSL to configure [HttpSecurity] channel security using idiomatic
@@ -36,6 +38,7 @@ import org.springframework.util.ClassUtils
 class RequiresChannelDsl : AbstractRequestMatcherDsl() {
     private val channelSecurityRules = mutableListOf<AuthorizationRule>()
 
+    private val HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector"
     private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
     private val MVC_PRESENT = ClassUtils.isPresent(
             HANDLER_MAPPING_INTROSPECTOR,
@@ -119,11 +122,14 @@ class RequiresChannelDsl : AbstractRequestMatcherDsl() {
                     is MatcherAuthorizationRule -> channelSecurity.requestMatchers(rule.matcher).requires(rule.rule)
                     is PatternAuthorizationRule -> {
                         when (rule.patternType) {
-                            PatternType.ANT -> channelSecurity.antMatchers(rule.pattern).requires(rule.rule)
+                            PatternType.ANT -> channelSecurity.requestMatchers(rule.pattern).requires(rule.rule)
                             PatternType.MVC -> {
-                                val mvcMatchersRequiresChannel = channelSecurity.mvcMatchers(rule.pattern)
+                                val introspector = channelSecurity.applicationContext.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector::class.java)
-                                rule.servletPath?.also { mvcMatchersRequiresChannel.servletPath(rule.servletPath) }
+                                val mvcMatcher = MvcRequestMatcher.Builder(introspector)
-                                mvcMatchersRequiresChannel.requires(rule.rule)
+                                    .servletPath(rule.servletPath)
+                                    .pattern(rule.pattern)
+                                mvcMatcher.setMethod(rule.httpMethod)
+                                channelSecurity.requestMatchers(mvcMatcher).requires(rule.rule)
                             }
                         }
                     }

config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java

@@ -32,6 +32,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -51,7 +52,7 @@ public class SecurityConfig {
 		// @formatter:off
 		http
 			.authorizeRequests()
-				.antMatchers("/*").permitAll()
+				.requestMatchers(new AntPathRequestMatcher("/*")).permitAll()
 				.and()
 			.authenticationProvider(authenticationProvider());
 		// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java

@@ -25,8 +25,11 @@ import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RegexRequestMatcher;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
@@ -85,7 +88,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 			http
 				.authorizeRequests()
 				.anyRequest().authenticated()
-				.antMatchers("/demo/**").permitAll();
+				.requestMatchers(new AntPathRequestMatcher("/demo/**")).permitAll();
 			return http.build();
 			// @formatter:on
 		}
@@ -97,12 +100,12 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 	static class MvcMatchersAfterAnyRequestConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
 			// @formatter:off
 			http
 				.authorizeRequests()
 				.anyRequest().authenticated()
-				.mvcMatchers("/demo/**").permitAll();
+				.requestMatchers(new MvcRequestMatcher(introspector, "/demo/**")).permitAll();
 			return http.build();
 			// @formatter:on
 		}
@@ -119,7 +122,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
 			http
 				.authorizeRequests()
 				.anyRequest().authenticated()
-				.regexMatchers(".*").permitAll();
+				.requestMatchers(new RegexRequestMatcher(".*", null)).permitAll();
 			return http.build();
 			// @formatter:on
 		}

config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryNoMvcTests.java

@@ -69,16 +69,6 @@ public class AbstractRequestMatcherRegistryNoMvcTests {
 
 	private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
 
-		@Override
-		public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
-			return null;
-		}
-
-		@Override
-		public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			return null;
-		}
-
 		@Override
 		protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			return requestMatchers;

config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryTests.java

@@ -65,7 +65,8 @@ public class AbstractRequestMatcherRegistryTests {
 
 	@Test
 	public void regexMatchersWhenHttpMethodAndPatternParamsThenReturnRegexRequestMatcherType() {
-		List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers(HttpMethod.GET, "/a.*");
+		List<RequestMatcher> requestMatchers = this.matcherRegistry
+				.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
 		assertThat(requestMatchers).isNotEmpty();
 		assertThat(requestMatchers.size()).isEqualTo(1);
 		assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
@@ -73,7 +74,8 @@ public class AbstractRequestMatcherRegistryTests {
 
 	@Test
 	public void regexMatchersWhenPatternParamThenReturnRegexRequestMatcherType() {
-		List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers("/a.*");
+		List<RequestMatcher> requestMatchers = this.matcherRegistry
+				.requestMatchers(new RegexRequestMatcher("/a.*", null));
 		assertThat(requestMatchers).isNotEmpty();
 		assertThat(requestMatchers.size()).isEqualTo(1);
 		assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
@@ -81,7 +83,8 @@ public class AbstractRequestMatcherRegistryTests {
 
 	@Test
 	public void antMatchersWhenHttpMethodAndPatternParamsThenReturnAntPathRequestMatcherType() {
-		List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers(HttpMethod.GET, "/a.*");
+		List<RequestMatcher> requestMatchers = this.matcherRegistry
+				.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
 		assertThat(requestMatchers).isNotEmpty();
 		assertThat(requestMatchers.size()).isEqualTo(1);
 		assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
@@ -89,7 +92,7 @@ public class AbstractRequestMatcherRegistryTests {
 
 	@Test
 	public void antMatchersWhenPatternParamThenReturnAntPathRequestMatcherType() {
-		List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers("/a.*");
+		List<RequestMatcher> requestMatchers = this.matcherRegistry.requestMatchers(new AntPathRequestMatcher("/a.*"));
 		assertThat(requestMatchers).isNotEmpty();
 		assertThat(requestMatchers.size()).isEqualTo(1);
 		assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
@@ -151,16 +154,6 @@ public class AbstractRequestMatcherRegistryTests {
 
 	private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
 
-		@Override
-		public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
-			return null;
-		}
-
-		@Override
-		public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			return null;
-		}
-
 		@Override
 		protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			return requestMatchers;

config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java

@@ -36,8 +36,10 @@ import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -107,18 +109,19 @@ public class HttpConfigurationTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class RequestMatcherRegistryConfigs {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers()
+				.securityMatchers()
-					.antMatchers("/api/**")
+					.requestMatchers(new AntPathRequestMatcher("/api/**"))
-					.antMatchers("/oauth/**")
+					.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
 					.and()
 				.authorizeRequests()
-					.antMatchers("/**").hasRole("USER")
+					.anyRequest().hasRole("USER")
 					.and()
 				.httpBasic();
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java

@@ -62,6 +62,7 @@ import org.springframework.stereotype.Controller;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
@@ -302,6 +303,7 @@ public class NamespaceHttpTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class AccessDeniedPageConfig {
 
 		@Bean
@@ -309,7 +311,7 @@ public class NamespaceHttpTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin").hasRole("ADMIN")
+					.requestMatchers("/admin").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.exceptionHandling()
@@ -385,6 +387,7 @@ public class NamespaceHttpTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class IfRequiredConfig {
 
 		@Bean
@@ -392,7 +395,7 @@ public class NamespaceHttpTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/unsecure").permitAll()
+					.requestMatchers("/unsecure").permitAll()
 					.anyRequest().authenticated()
 					.and()
 				.sessionManagement()
@@ -487,7 +490,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.antMatcher("/api/**");
+				.securityMatcher(new AntPathRequestMatcher("/api/**"));
 			return http.build();
 			// @formatter:on
 		}
@@ -502,7 +505,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.regexMatcher("/regex/.*");
+				.securityMatcher(new RegexRequestMatcher("/regex/.*", null));
 			return http.build();
 			// @formatter:on
 		}
@@ -517,7 +520,7 @@ public class NamespaceHttpTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.requestMatcher(new MyRequestMatcher());
+				.securityMatcher(new MyRequestMatcher());
 			return http.build();
 			// @formatter:on
 		}
@@ -539,7 +542,8 @@ public class NamespaceHttpTests {
 
 		@Bean
 		WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.ignoring().antMatchers("/resources/**", "/public/**");
+			return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/resources/**"),
+					new AntPathRequestMatcher("/public/**"));
 		}
 
 		@Bean
@@ -625,6 +629,7 @@ public class NamespaceHttpTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class UseExpressionsConfig {
 
 		private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
@@ -636,8 +641,8 @@ public class NamespaceHttpTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/users**", "/sessions/**").hasRole("USER")
+					.requestMatchers("/users**", "/sessions/**").hasRole("USER")
-					.antMatchers("/signup").permitAll()
+					.requestMatchers("/signup").permitAll()
 					.anyRequest().hasRole("USER");
 			this.httpSecurity = http;
 			return http.build();
@@ -659,6 +664,7 @@ public class NamespaceHttpTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class DisableUseExpressionsConfig {
 
 		private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
@@ -670,8 +676,8 @@ public class NamespaceHttpTests {
 			// @formatter:off
 			http
 				.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
-					.antMatchers("/users**", "/sessions/**").hasRole("USER")
+					.requestMatchers("/users**", "/sessions/**").hasRole("USER")
-					.antMatchers("/signup").hasRole("ANONYMOUS")
+					.requestMatchers("/signup").hasRole("ANONYMOUS")
 					.anyRequest().hasRole("USER");
 			this.httpSecurity = http;
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java

@@ -40,12 +40,14 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -147,8 +149,8 @@ public class WebSecurityTests {
 	static class MvcMatcherConfig {
 
 		@Bean
-		WebSecurityCustomizer webSecurityCustomizer() {
+		WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
-			return (web) -> web.ignoring().mvcMatchers("/path");
+			return (web) -> web.ignoring().requestMatchers(new MvcRequestMatcher(introspector, "/path"));
 		}
 
 		@Bean
@@ -185,8 +187,9 @@ public class WebSecurityTests {
 	static class MvcMatcherServletPathConfig {
 
 		@Bean
-		WebSecurityCustomizer webSecurityCustomizer() {
+		WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
-			return (web) -> web.ignoring().mvcMatchers("/path").servletPath("/spring").mvcMatchers("/notused");
+			MvcRequestMatcher.Builder builder = new MvcRequestMatcher.Builder(introspector).servletPath("/spring");
+			return (web) -> web.ignoring().requestMatchers(builder.pattern("/path")).requestMatchers("/notused");
 		}
 
 		@Bean

config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java

@@ -58,10 +58,12 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.util.ClassUtils;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -346,7 +348,7 @@ public class WebSecurityConfigurationTests {
 		SecurityFilterChain filterChain1(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.antMatcher("/role1/**")
+					.securityMatcher(new AntPathRequestMatcher("/role1/**"))
 					.authorizeRequests((authorize) -> authorize
 							.anyRequest().hasRole("1")
 					)
@@ -359,7 +361,7 @@ public class WebSecurityConfigurationTests {
 		SecurityFilterChain filterChain2(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.antMatcher("/role2/**")
+					.securityMatcher(new AntPathRequestMatcher("/role2/**"))
 					.authorizeRequests((authorize) -> authorize
 							.anyRequest().hasRole("2")
 					)
@@ -372,7 +374,7 @@ public class WebSecurityConfigurationTests {
 		SecurityFilterChain filterChain3(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.antMatcher("/role3/**")
+					.securityMatcher(new AntPathRequestMatcher("/role3/**"))
 					.authorizeRequests((authorize) -> authorize
 							.anyRequest().hasRole("3")
 					)
@@ -403,7 +405,7 @@ public class WebSecurityConfigurationTests {
 		SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.antMatcher("/role1/**")
+					.securityMatcher(new AntPathRequestMatcher("/role1/**"))
 					.authorizeRequests((authorize) -> authorize
 							.anyRequest().hasRole("1")
 					)
@@ -634,31 +636,33 @@ public class WebSecurityConfigurationTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	@Import(AuthenticationTestConfiguration.class)
 	static class WebSecurityCustomizerConfig {
 
 		@Bean
 		public WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
+			return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
 		}
 
 	}
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	@Import(AuthenticationTestConfiguration.class)
 	static class CustomizerAndFilterChainConfig {
 
 		@Bean
 		public WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
+			return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
 		}
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			return http
-					.antMatcher("/role1/**")
+					.securityMatcher(new AntPathRequestMatcher("/role1/**"))
 					.authorizeRequests((authorize) -> authorize
 							.anyRequest().hasRole("1")
 					)
@@ -670,19 +674,20 @@ public class WebSecurityConfigurationTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	@Import(AuthenticationTestConfiguration.class)
 	static class OrderedCustomizerConfig {
 
 		@Order(1)
 		@Bean
 		public WebSecurityCustomizer webSecurityCustomizer1() {
-			return (web) -> web.ignoring().antMatchers("/ignore1");
+			return (web) -> web.ignoring().requestMatchers("/ignore1");
 		}
 
 		@Order(2)
 		@Bean
 		public WebSecurityCustomizer webSecurityCustomizer2() {
-			return (web) -> web.ignoring().antMatchers("/ignore2");
+			return (web) -> web.ignoring().requestMatchers("/ignore2");
 		}
 
 	}
@@ -696,7 +701,7 @@ public class WebSecurityConfigurationTests {
 		public SecurityFilterChain path1(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
+				.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
 				.authorizeRequests((requests) -> requests.anyRequest().authenticated());
 			// @formatter:on
 			return http.build();
@@ -720,7 +725,7 @@ public class WebSecurityConfigurationTests {
 		public SecurityFilterChain path1(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
+					.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
 					.authorizeRequests((requests) -> requests.anyRequest().authenticated());
 			// @formatter:on
 			return http.build();
@@ -745,7 +750,7 @@ public class WebSecurityConfigurationTests {
 		public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers((requests) -> requests.antMatchers("/user"))
+				.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
 				.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
 			// @formatter:on
 			return http.build();
@@ -756,7 +761,7 @@ public class WebSecurityConfigurationTests {
 		public SecurityFilterChain path1(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers((requests) -> requests.antMatchers("/admin"))
+				.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
 				.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
 			// @formatter:on
 			return http.build();
@@ -773,12 +778,13 @@ public class WebSecurityConfigurationTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	@Import(AuthenticationTestConfiguration.class)
 	static class MultipleSecurityFilterChainIgnoringConfig {
 
 		@Bean
 		public WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.ignoring().antMatchers("/ignoring1/**");
+			return (web) -> web.ignoring().requestMatchers("/ignoring1/**");
 		}
 
 		@Bean
@@ -786,7 +792,7 @@ public class WebSecurityConfigurationTests {
 		public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.requestMatchers((requests) -> requests.antMatchers("/user"))
+					.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
 					.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
 			// @formatter:on
 			return http.build();
@@ -797,7 +803,7 @@ public class WebSecurityConfigurationTests {
 		public SecurityFilterChain admin(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.requestMatchers((requests) -> requests.antMatchers("/admin"))
+					.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
 					.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistryTests.java

@@ -22,7 +22,6 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.http.HttpMethod;
-import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RegexRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -40,7 +39,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
 
 	@Test
 	public void testGetRequestMatcherIsTypeRegexMatcher() {
-		List<RequestMatcher> requestMatchers = this.registry.regexMatchers(HttpMethod.GET, "/a.*");
+		List<RequestMatcher> requestMatchers = this.registry
+				.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
 		for (RequestMatcher requestMatcher : requestMatchers) {
 			assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
 		}
@@ -48,7 +48,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
 
 	@Test
 	public void testRequestMatcherIsTypeRegexMatcher() {
-		List<RequestMatcher> requestMatchers = this.registry.regexMatchers("/a.*");
+		List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new RegexRequestMatcher("/a.*", null));
 		for (RequestMatcher requestMatcher : requestMatchers) {
 			assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
 		}
@@ -56,7 +56,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
 
 	@Test
 	public void testGetRequestMatcherIsTypeAntPathRequestMatcher() {
-		List<RequestMatcher> requestMatchers = this.registry.antMatchers(HttpMethod.GET, "/a.*");
+		List<RequestMatcher> requestMatchers = this.registry
+				.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
 		for (RequestMatcher requestMatcher : requestMatchers) {
 			assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
 		}
@@ -64,7 +65,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
 
 	@Test
 	public void testRequestMatcherIsTypeAntPathRequestMatcher() {
-		List<RequestMatcher> requestMatchers = this.registry.antMatchers("/a.*");
+		List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new AntPathRequestMatcher("/a.*"));
 		for (RequestMatcher requestMatcher : requestMatchers) {
 			assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
 		}
@@ -73,25 +74,11 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
 	static class ConcreteAbstractRequestMatcherMappingConfigurer
 			extends AbstractConfigAttributeRequestMatcherRegistry<List<RequestMatcher>> {
 
-		List<AccessDecisionVoter> decisionVoters() {
-			return null;
-		}
-
 		@Override
 		protected List<RequestMatcher> chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
 			return requestMatchers;
 		}
 
-		@Override
-		public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
-			return null;
-		}
-
-		@Override
-		public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
-			return null;
-		}
-
 	}
 
 }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java

@@ -46,6 +46,7 @@ import org.springframework.security.web.access.expression.WebExpressionAuthoriza
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 import org.springframework.test.web.servlet.request.RequestPostProcessor;
@@ -55,6 +56,7 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.Mockito.any;
@@ -615,7 +617,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
 			return http
 					.authorizeHttpRequests((requests) -> requests
 						.anyRequest().authenticated()
-						.mvcMatchers("/path").hasRole("USER")
+						.requestMatchers("/path").hasRole("USER")
 					)
 					.build();
 			// @formatter:on
@@ -847,11 +849,13 @@ public class AuthorizeHttpRequestsConfigurerTests {
 	static class ServletPathConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
+					.servletPath("/spring");
 			// @formatter:off
 			return http
 					.authorizeHttpRequests((requests) -> requests
-						.mvcMatchers("/").servletPath("/spring").hasRole("ADMIN")
+						.requestMatchers(mvcMatcherBuilder.pattern("/")).hasRole("ADMIN")
 					)
 					.build();
 			// @formatter:on
@@ -940,7 +944,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
 			http
 				.httpBasic(withDefaults())
 				.authorizeHttpRequests((requests) -> requests
-					.mvcMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
+					.requestMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
 				);
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java

@@ -42,6 +42,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -49,6 +50,7 @@ import org.springframework.web.context.support.AnnotationConfigWebApplicationCon
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.spy;
@@ -289,7 +291,7 @@ public class AuthorizeRequestsTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers(HttpMethod.POST).denyAll();
+					.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll();
 			// @formatter:on
 			return http.build();
 		}
@@ -311,7 +313,7 @@ public class AuthorizeRequestsTests {
 			http
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests
-						.antMatchers(HttpMethod.POST).denyAll()
+						.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll()
 				);
 			// @formatter:on
 			return http.build();
@@ -407,7 +409,7 @@ public class AuthorizeRequestsTests {
 			http
 				.httpBasic().and()
 				.authorizeRequests()
-					.mvcMatchers("/path").denyAll();
+					.requestMatchers("/path").denyAll();
 			// @formatter:on
 			return http.build();
 		}
@@ -441,7 +443,7 @@ public class AuthorizeRequestsTests {
 				.httpBasic(withDefaults())
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests
-						.mvcMatchers("/path").denyAll()
+						.requestMatchers("/path").denyAll()
 				);
 			// @formatter:on
 			return http.build();
@@ -470,12 +472,14 @@ public class AuthorizeRequestsTests {
 	static class MvcMatcherServletPathConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
+					.servletPath("/spring");
 			// @formatter:off
 			http
 				.httpBasic().and()
 				.authorizeRequests()
-					.mvcMatchers("/path").servletPath("/spring").denyAll();
+					.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll();
 			// @formatter:on
 			return http.build();
 		}
@@ -503,13 +507,15 @@ public class AuthorizeRequestsTests {
 	static class MvcMatcherServletPathInLambdaConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
+					.servletPath("/spring");
 			// @formatter:off
 			http
 				.httpBasic(withDefaults())
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests
-						.mvcMatchers("/path").servletPath("/spring").denyAll()
+						.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll()
 				);
 			// @formatter:on
 			return http.build();
@@ -543,7 +549,7 @@ public class AuthorizeRequestsTests {
 			http
 				.httpBasic().and()
 				.authorizeRequests()
-					.mvcMatchers("/user/{userName}").access("#userName == 'user'");
+					.requestMatchers("/user/{userName}").access("#userName == 'user'");
 			// @formatter:on
 			return http.build();
 		}
@@ -577,7 +583,7 @@ public class AuthorizeRequestsTests {
 				.httpBasic(withDefaults())
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests
-						.mvcMatchers("/user/{userName}").access("#userName == 'user'")
+						.requestMatchers("/user/{userName}").access("#userName == 'user'")
 				);
 			// @formatter:on
 			return http.build();
@@ -611,7 +617,7 @@ public class AuthorizeRequestsTests {
 			http
 				.httpBasic().and()
 				.authorizeRequests()
-					.mvcMatchers("/user").denyAll();
+					.requestMatchers("/user").denyAll();
 			// @formatter:on
 			return http.build();
 		}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurerTests.java

@@ -243,11 +243,11 @@ public class ChannelSecurityConfigurerTests {
 					.portMapper(new PortMapperImpl())
 					.and()
 				.requiresChannel()
-					.mvcMatchers("/test-1")
+					.requestMatchers("/test-1")
 						.requiresSecure()
-					.mvcMatchers("/test-2")
+					.requestMatchers("/test-2")
 						.requiresSecure()
-					.mvcMatchers("/test-3")
+					.requestMatchers("/test-3")
 						.requiresSecure()
 					.anyRequest()
 						.requiresInsecure();
@@ -271,11 +271,11 @@ public class ChannelSecurityConfigurerTests {
 					.portMapper(new PortMapperImpl())
 				)
 				.requiresChannel((channel) -> channel
-					.mvcMatchers("/test-1")
+					.requestMatchers("/test-1")
 						.requiresSecure()
-					.mvcMatchers("/test-2")
+					.requestMatchers("/test-2")
 						.requiresSecure()
-					.mvcMatchers("/test-3")
+					.requestMatchers("/test-3")
 						.requiresSecure()
 					.anyRequest()
 						.requiresInsecure()

config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerIgnoringRequestMatchersTests.java

@@ -119,6 +119,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class IgnoringRequestInLambdaMatchers {
 
 		RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
@@ -149,7 +150,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
 			// @formatter:off
 			http
 				.csrf()
-					.ignoringAntMatchers("/no-csrf")
+					.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
 					.ignoringRequestMatchers(this.requestMatcher);
 			return http.build();
 			// @formatter:on
@@ -159,6 +160,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class IgnoringPathsAndMatchersInLambdaConfig {
 
 		RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
@@ -169,7 +171,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
 			http
 				.csrf((csrf) ->
 					csrf
-						.ignoringAntMatchers("/no-csrf")
+						.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
 						.ignoringRequestMatchers(this.requestMatcher)
 				);
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java

@@ -57,6 +57,7 @@ import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -163,11 +164,12 @@ public class DefaultFiltersTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class FilterChainProxyBuilderIgnoringConfig {
 
 		@Bean
 		WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.ignoring().antMatchers("/resources/**");
+			return (web) -> web.ignoring().requestMatchers("/resources/**");
 		}
 
 		@Bean

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurerTests.java

@@ -63,6 +63,7 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -611,6 +612,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class IncompleteMappingConfig {
 
 		@Bean
@@ -618,7 +620,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/a").authenticated()
+					.requestMatchers("/a").authenticated()
 					.anyRequest();
 			return http.build();
 			// @formatter:on
@@ -965,6 +967,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class AllPropertiesWorkConfig {
 
 		@Bean
@@ -978,7 +981,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 					.expressionHandler(handler)
 					.accessDecisionManager(adm)
 					.filterSecurityInterceptorOncePerRequest(true)
-					.antMatchers("/a", "/b").hasRole("ADMIN")
+					.requestMatchers("/a", "/b").hasRole("ADMIN")
 					.anyRequest().permitAll()
 					.and()
 				.formLogin();
@@ -1034,6 +1037,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class UseBeansInExpressions {
 
 		@Bean
@@ -1041,9 +1045,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin").hasRole("ADMIN")
+					.requestMatchers("/admin").hasRole("ADMIN")
-					.antMatchers("/user").hasRole("USER")
+					.requestMatchers("/user").hasRole("USER")
-					.antMatchers("/allow").access("@permission.check(authentication,'user')")
+					.requestMatchers("/allow").access("@permission.check(authentication,'user')")
 					.anyRequest().access("@permission.check(authentication,'admin')");
 			return http.build();
 			// @formatter:on
@@ -1066,6 +1070,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class CustomExpressionRootConfig {
 
 		@Bean
@@ -1074,9 +1079,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			http
 				.authorizeRequests()
 					.expressionHandler(expressionHandler())
-					.antMatchers("/admin").hasRole("ADMIN")
+					.requestMatchers("/admin").hasRole("ADMIN")
-					.antMatchers("/user").hasRole("USER")
+					.requestMatchers("/user").hasRole("USER")
-					.antMatchers("/allow").access("check('user')")
+					.requestMatchers("/allow").access("check('user')")
 					.anyRequest().access("check('admin')");
 			return http.build();
 			// @formatter:on
@@ -1146,6 +1151,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class PermissionEvaluatorConfig {
 
 		@Bean
@@ -1153,10 +1159,10 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
+					.requestMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
-					.antMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
+					.requestMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
-					.antMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
+					.requestMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
-					.antMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
+					.requestMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
 					.anyRequest().permitAll();
 			return http.build();
 			// @formatter:on
@@ -1183,6 +1189,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class RoleHierarchyConfig {
 
 		@Bean
@@ -1190,8 +1197,8 @@ public class ExpressionUrlAuthorizationConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/allow").access("hasRole('MEMBER')")
+					.requestMatchers("/allow").access("hasRole('MEMBER')")
-					.antMatchers("/deny").access("hasRole('ADMIN')")
+					.requestMatchers("/deny").access("hasRole('ADMIN')")
 					.anyRequest().permitAll();
 			return http.build();
 			// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -45,6 +45,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
@@ -409,11 +410,12 @@ public class FormLoginConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class FormLoginConfig {
 
 		@Bean
 		WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.ignoring().antMatchers("/resources/**");
+			return (web) -> web.ignoring().requestMatchers("/resources/**");
 		}
 
 		@Bean

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java

@@ -1,146 +0,0 @@
-/*
- * Copyright 2002-2022 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.web.configurers;
-
-import jakarta.servlet.http.HttpServletResponse;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
-import org.springframework.mock.web.MockFilterChain;
-import org.springframework.mock.web.MockHttpServletRequest;
-import org.springframework.mock.web.MockHttpServletResponse;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.security.web.FilterChainProxy;
-import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-/**
- * @author Rob Winch
- *
- */
-public class HttpSecurityAntMatchersTests {
-
-	AnnotationConfigWebApplicationContext context;
-
-	MockHttpServletRequest request;
-
-	MockHttpServletResponse response;
-
-	MockFilterChain chain;
-
-	@Autowired
-	FilterChainProxy springSecurityFilterChain;
-
-	@BeforeEach
-	public void setup() {
-		this.request = new MockHttpServletRequest("GET", "");
-		this.response = new MockHttpServletResponse();
-		this.chain = new MockFilterChain();
-	}
-
-	@AfterEach
-	public void cleanup() {
-		if (this.context != null) {
-			this.context.close();
-		}
-	}
-
-	// SEC-3135
-	@Test
-	public void antMatchersMethodAndNoPatterns() throws Exception {
-		loadConfig(AntMatchersNoPatternsConfig.class);
-		this.request.setMethod("POST");
-		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
-		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
-	}
-
-	// SEC-3135
-	@Test
-	public void antMatchersMethodAndEmptyPatterns() throws Exception {
-		loadConfig(AntMatchersEmptyPatternsConfig.class);
-		this.request.setMethod("POST");
-		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
-		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
-	}
-
-	public void loadConfig(Class<?>... configs) {
-		this.context = new AnnotationConfigWebApplicationContext();
-		this.context.register(configs);
-		this.context.refresh();
-		this.context.getAutowireCapableBeanFactory().autowireBean(this);
-	}
-
-	@EnableWebSecurity
-	@Configuration
-	static class AntMatchersNoPatternsConfig {
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			http
-				.requestMatchers()
-					.antMatchers(HttpMethod.POST)
-					.and()
-				.authorizeRequests()
-					.anyRequest().denyAll();
-			// @formatter:on
-			return http.build();
-		}
-
-		@Bean
-		UserDetailsService userDetailsService() {
-			return new InMemoryUserDetailsManager();
-		}
-
-	}
-
-	@EnableWebSecurity
-	@Configuration
-	static class AntMatchersEmptyPatternsConfig {
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			http
-				.requestMatchers()
-					.antMatchers("/never/")
-					.antMatchers(HttpMethod.POST, new String[0])
-					.and()
-				.authorizeRequests()
-					.anyRequest().denyAll();
-			// @formatter:on
-			return http.build();
-		}
-
-		@Bean
-		UserDetailsService userDetailsService() {
-			return new InMemoryUserDetailsManager();
-		}
-
-	}
-
-}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java

@@ -36,12 +36,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.security.config.Customizer.withDefaults;
@@ -217,13 +219,14 @@ public class HttpSecurityRequestMatchersTests {
 
 		@Bean
 		@Order(Ordered.HIGHEST_PRECEDENCE)
-		SecurityFilterChain first(HttpSecurity http) throws Exception {
+		SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
 			// @formatter:off
 			http
-				.requestMatchers((requests) -> requests
+				.securityMatchers((requests) -> requests
-					.mvcMatchers("/test-1")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
-					.mvcMatchers("/test-2")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
-					.mvcMatchers("/test-3")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
 				)
 				.authorizeRequests((authorize) -> authorize.anyRequest().denyAll())
 				.httpBasic(withDefaults());
@@ -232,11 +235,12 @@ public class HttpSecurityRequestMatchersTests {
 		}
 
 		@Bean
-		SecurityFilterChain second(HttpSecurity http) throws Exception {
+		SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
 			// @formatter:off
 			http
-				.requestMatchers((requests) -> requests
+				.securityMatchers((requests) -> requests
-					.mvcMatchers("/test-1")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
 				)
 				.authorizeRequests((authorize) -> authorize
 					.anyRequest().permitAll()
@@ -264,13 +268,14 @@ public class HttpSecurityRequestMatchersTests {
 
 		@Bean
 		@Order(Ordered.HIGHEST_PRECEDENCE)
-		SecurityFilterChain first(HttpSecurity http) throws Exception {
+		SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
 			// @formatter:off
 			http
-				.requestMatchers()
+				.securityMatchers()
-					.mvcMatchers("/test-1")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
-					.mvcMatchers("/test-2")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
-					.mvcMatchers("/test-3")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
 					.and()
 				.authorizeRequests()
 					.anyRequest().denyAll()
@@ -281,11 +286,12 @@ public class HttpSecurityRequestMatchersTests {
 		}
 
 		@Bean
-		SecurityFilterChain second(HttpSecurity http) throws Exception {
+		SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
 			// @formatter:off
 			http
-				.requestMatchers()
+				.securityMatchers()
-					.mvcMatchers("/test-1")
+					.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
 					.and()
 				.authorizeRequests()
 					.anyRequest().permitAll();
@@ -311,10 +317,10 @@ public class HttpSecurityRequestMatchersTests {
 	static class MvcMatcherConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
 			// @formatter:off
 			http
-				.mvcMatcher("/path")
+				.securityMatcher(new MvcRequestMatcher(introspector, "/path"))
 				.httpBasic().and()
 				.authorizeRequests()
 					.anyRequest().denyAll();
@@ -345,11 +351,11 @@ public class HttpSecurityRequestMatchersTests {
 	static class RequestMatchersMvcMatcherConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers()
+				.securityMatchers()
-					.mvcMatchers("/path")
+					.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
 					.and()
 				.httpBasic().and()
 				.authorizeRequests()
@@ -381,12 +387,12 @@ public class HttpSecurityRequestMatchersTests {
 	static class RequestMatchersMvcMatcherInLambdaConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers((requestMatchers) ->
+				.securityMatchers((matchers) ->
-					requestMatchers
+					matchers
-						.mvcMatchers("/path")
+						.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
 				)
 				.httpBasic(withDefaults())
 				.authorizeRequests((authorizeRequests) ->
@@ -415,12 +421,14 @@ public class HttpSecurityRequestMatchersTests {
 	static class RequestMatchersMvcMatcherServeltPathConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
+			mvcMatcherBuilder.servletPath("/spring");
 			// @formatter:off
 			http
-				.requestMatchers()
+				.securityMatchers()
-					.mvcMatchers("/path").servletPath("/spring")
+					.requestMatchers(mvcMatcherBuilder.pattern("/path"))
-					.mvcMatchers("/never-match")
+					.requestMatchers("/never-match")
 					.and()
 				.httpBasic().and()
 				.authorizeRequests()
@@ -452,13 +460,15 @@ public class HttpSecurityRequestMatchersTests {
 	static class RequestMatchersMvcMatcherServletPathInLambdaConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
+			mvcMatcherBuilder.servletPath("/spring");
 			// @formatter:off
 			http
-				.requestMatchers((requestMatchers) ->
+				.securityMatchers((matchers) ->
-					requestMatchers
+					matchers
-						.mvcMatchers("/path").servletPath("/spring")
+						.requestMatchers(mvcMatcherBuilder.pattern("/path"))
-						.mvcMatchers("/never-match")
+						.requestMatchers("/never-match")
 				)
 				.httpBasic(withDefaults())
 				.authorizeRequests((authorizeRequests) ->

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpAnonymousTests.java

@@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
@@ -91,6 +92,7 @@ public class NamespaceHttpAnonymousTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class AnonymousConfig {
 
 		@Bean
@@ -98,7 +100,7 @@ public class NamespaceHttpAnonymousTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/type").anonymous()
+					.requestMatchers("/type").anonymous()
 					.anyRequest().denyAll();
 			return http.build();
 			// @formatter:on
@@ -131,6 +133,7 @@ public class NamespaceHttpAnonymousTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class AnonymousGrantedAuthorityConfig {
 
 		@Bean
@@ -138,7 +141,7 @@ public class NamespaceHttpAnonymousTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/type").hasRole("ANON")
+					.requestMatchers("/type").hasRole("ANON")
 					.anyRequest().denyAll()
 					.and()
 				.anonymous()
@@ -151,6 +154,7 @@ public class NamespaceHttpAnonymousTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class AnonymousKeyConfig {
 
 		@Bean
@@ -158,7 +162,7 @@ public class NamespaceHttpAnonymousTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/key").anonymous()
+					.requestMatchers("/key").anonymous()
 					.anyRequest().denyAll()
 					.and()
 				.anonymous().key("AnonymousKeyConfig");
@@ -170,6 +174,7 @@ public class NamespaceHttpAnonymousTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class AnonymousUsernameConfig {
 
 		@Bean
@@ -177,7 +182,7 @@ public class NamespaceHttpAnonymousTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/principal").anonymous()
+					.requestMatchers("/principal").anonymous()
 					.anyRequest().denyAll()
 					.and()
 				.anonymous().principal("AnonymousUsernameConfig");

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java

@@ -37,6 +37,7 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.spy;
@@ -111,11 +112,12 @@ public class NamespaceHttpFormLoginTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class FormLoginConfig {
 
 		@Bean
 		WebSecurityCustomizer webSecurityCustomizer() {
-			return (web) -> web.ignoring().antMatchers("/resources/**");
+			return (web) -> web.ignoring().requestMatchers("/resources/**");
 		}
 
 		@Bean

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java

@@ -39,6 +39,7 @@ import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilde
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@@ -110,25 +111,26 @@ public class NamespaceHttpInterceptUrlTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class HttpInterceptUrlConfig {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests().antMatchers(
+				.authorizeRequests().requestMatchers(
 					// the line below is similar to intercept-url@pattern:
 					//    <intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
 					//" access="hasRole('ROLE_ADMIN')"/>
-"/users**", "/sessions/**").hasRole("ADMIN").antMatchers(
+"/users**", "/sessions/**").hasRole("ADMIN").requestMatchers(
 					// the line below is similar to intercept-url@method:
 					//    <intercept-url pattern="/admin/post" access="hasRole('ROLE_ADMIN')" method="POST"/>
 					//" access="hasRole('ROLE_ADMIN')" method="POST"/>
 HttpMethod.POST, "/admin/post", "/admin/another-post/**").hasRole("ADMIN")
-					.antMatchers("/signup").permitAll()
+					.requestMatchers("/signup").permitAll()
 					.anyRequest().hasRole("USER")
 					.and()
-				.requiresChannel().antMatchers("/login", "/secured/**")
+				.requiresChannel().requestMatchers("/login", "/secured/**")
 					// NOTE: channel security is configured separately of authorization (i.e. intercept-url@access
 					// the line below is similar to intercept-url@requires-channel="https":
 					//    <intercept-url pattern="/login" requires-channel="https"/>

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.java

@@ -31,6 +31,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
@@ -62,6 +63,7 @@ public class NamespaceHttpPortMappingsTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class HttpInterceptUrlWithPortMapperConfig {
 
 		@Bean
@@ -75,7 +77,7 @@ public class NamespaceHttpPortMappingsTests {
 					.http(9080).mapsTo(9443)
 					.and()
 				.requiresChannel()
-					.antMatchers("/login", "/secured/**").requiresSecure()
+					.requestMatchers("/login", "/secured/**").requiresSecure()
 					.anyRequest().requiresInsecure();
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java

@@ -43,6 +43,7 @@ import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.security.web.authentication.rememberme.PersistentRememberMeToken;
 import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
@@ -351,7 +352,7 @@ public class NamespaceRememberMeTests {
 		SecurityFilterChain withoutKeyFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.antMatcher("/without-key/**")
+				.securityMatcher(new AntPathRequestMatcher("/without-key/**"))
 				.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated())
 				.formLogin()
 					.loginProcessingUrl("/without-key/login")

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestMatcherConfigurerTests.java

@@ -27,6 +27,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -77,11 +78,11 @@ public class RequestMatcherConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers()
+				.securityMatchers()
-					.antMatchers("/api/**")
+					.requestMatchers(new AntPathRequestMatcher("/api/**"))
 					.and()
-				.requestMatchers()
+				.securityMatchers()
-					.antMatchers("/oauth/**")
+					.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
 					.and()
 				.authorizeRequests()
 					.anyRequest().denyAll();
@@ -99,13 +100,13 @@ public class RequestMatcherConfigurerTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.requestMatchers((requestMatchers) ->
+				.securityMatchers((matchers) ->
-					requestMatchers
+					matchers
-						.antMatchers("/api/**")
+						.requestMatchers(new AntPathRequestMatcher("/api/**"))
 				)
-				.requestMatchers((requestMatchers) ->
+				.securityMatchers((matchers) ->
-					requestMatchers
+					matchers
-						.antMatchers("/oauth/**")
+						.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
 				)
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests

config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java

@@ -41,12 +41,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -176,12 +178,13 @@ public class UrlAuthorizationConfigurerTests {
 	static class MvcMatcherConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
+				HandlerMappingIntrospector introspector) throws Exception {
 			// @formatter:off
 			http
 				.httpBasic().and()
 				.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
-					.mvcMatchers("/path").hasRole("ADMIN");
+					.requestMatchers(new MvcRequestMatcher(introspector, "/path")).hasRole("ADMIN");
 			// @formatter:on
 			return http.build();
 		}
@@ -209,12 +212,15 @@ public class UrlAuthorizationConfigurerTests {
 	static class MvcMatcherServletPathConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
+				HandlerMappingIntrospector introspector) throws Exception {
+			MvcRequestMatcher mvcRequestMatcher = new MvcRequestMatcher(introspector, "/path");
+			mvcRequestMatcher.setServletPath("/spring");
 			// @formatter:off
 			http
 				.httpBasic().and()
 				.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
-					.mvcMatchers("/path").servletPath("/spring").hasRole("ADMIN");
+					.requestMatchers(mvcRequestMatcher).hasRole("ADMIN");
 			// @formatter:on
 			return http.build();
 		}
@@ -274,9 +280,9 @@ public class UrlAuthorizationConfigurerTests {
 			http
 					.httpBasic(Customizer.withDefaults())
 					.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
-						.mvcMatchers("/test-1").hasRole("ADMIN")
+						.requestMatchers("/test-1").hasRole("ADMIN")
-						.mvcMatchers("/test-2").hasRole("ADMIN")
+						.requestMatchers("/test-2").hasRole("ADMIN")
-						.mvcMatchers("/test-3").hasRole("ADMIN")
+						.requestMatchers("/test-3").hasRole("ADMIN")
 						.anyRequest().hasRole("USER");
 			// @formatter:on
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationsTests.java

@@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -133,6 +134,7 @@ public class UrlAuthorizationsTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class RoleConfig {
 
 		@Bean
@@ -140,12 +142,12 @@ public class UrlAuthorizationsTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
+					.requestMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
-					.antMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
+					.requestMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
-					.antMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
+					.requestMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
-					.antMatchers("/role-user").hasAnyRole("USER")
+					.requestMatchers("/role-user").hasAnyRole("USER")
-					.antMatchers("/role-admin").hasAnyRole("ADMIN")
+					.requestMatchers("/role-admin").hasAnyRole("ADMIN")
-					.antMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
+					.requestMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
 			return http.build();
 			// @formatter:on
 		}
@@ -154,6 +156,7 @@ public class UrlAuthorizationsTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class NoSpecificAccessDecisionManagerConfig {
 
 		@Bean
@@ -162,7 +165,7 @@ public class UrlAuthorizationsTests {
 					.apply(new UrlAuthorizationConfigurer(context)).getRegistry();
 			// @formatter:off
 			registry
-					.antMatchers("/a").hasRole("ADMIN")
+					.requestMatchers("/a").hasRole("ADMIN")
 					.anyRequest().hasRole("USER");
 			return http.build();
 			// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -147,6 +147,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.RestOperations;
 import org.springframework.web.context.support.GenericWebApplicationContext;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -1494,6 +1495,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class DefaultConfig {
 
 		@Bean
@@ -1501,7 +1503,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+					.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
 					.anyRequest().authenticated()
 					.and()
 				.oauth2ResourceServer()
@@ -1514,6 +1516,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class DefaultInLambdaConfig {
 
 		@Bean
@@ -1522,7 +1525,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			http
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests
-						.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+						.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
 						.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2ResourceServer) ->
@@ -1537,6 +1540,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class JwkSetUriConfig {
 
 		@Value("${mockwebserver.url:https://example.org}")
@@ -1547,7 +1551,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+					.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
 					.anyRequest().authenticated()
 					.and()
 				.oauth2ResourceServer()
@@ -1561,6 +1565,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class JwkSetUriInLambdaConfig {
 
 		@Value("${mockwebserver.url:https://example.org}")
@@ -1572,7 +1577,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			http
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests
-						.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+						.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
 						.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2ResourceServer) ->
@@ -1590,6 +1595,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class CsrfDisabledConfig {
 
 		@Value("${mockwebserver.url:https://example.org}")
@@ -1600,7 +1606,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
+					.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
 					.anyRequest().authenticated()
 					.and()
 				.csrf().disable()
@@ -1787,6 +1793,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class CustomAuthorityMappingConfig {
 
 		@Bean
@@ -1794,7 +1801,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/requires-read-scope").access("hasAuthority('message:read')")
+					.requestMatchers("/requires-read-scope").access("hasAuthority('message:read')")
 					.and()
 				.oauth2ResourceServer()
 					.jwt()
@@ -2326,6 +2333,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class OpaqueTokenConfig {
 
 		@Bean
@@ -2333,7 +2341,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
+					.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 					.anyRequest().authenticated()
 					.and()
 				.oauth2ResourceServer()
@@ -2346,6 +2354,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class OpaqueTokenInLambdaConfig {
 
 		@Bean
@@ -2354,7 +2363,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			http
 				.authorizeRequests((authorizeRequests) ->
 					authorizeRequests
-						.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
+						.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 						.anyRequest().authenticated()
 				)
 				.oauth2ResourceServer((oauth2ResourceServer) ->
@@ -2540,6 +2549,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class OpaqueTokenAuthenticationConverterConfig {
 
 		@Bean
@@ -2547,7 +2557,7 @@ public class OAuth2ResourceServerConfigurerTests {
 			// @formatter:off
 			http
 					.authorizeRequests()
-					.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
+					.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
 					.anyRequest().authenticated()
 					.and()
 					.oauth2ResourceServer()

config/src/test/java/org/springframework/security/config/http/customconfigurer/CustomConfigurer.java

@@ -22,6 +22,7 @@ import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
 import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 /**
  * @author Rob Winch
@@ -43,7 +44,7 @@ public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityF
 		// @formatter:off
 		http
 			.authorizeRequests()
-				.antMatchers(this.permitAllPattern).permitAll()
+				.requestMatchers(new AntPathRequestMatcher(this.permitAllPattern)).permitAll()
 				.anyRequest().authenticated();
 		// @formatter:on
 		if (http.getConfigurer(FormLoginConfigurer.class) == null) {

config/src/test/kotlin/org/springframework/security/config/annotation/web/CsrfDslTests.kt

@@ -255,36 +255,6 @@ class CsrfDslTests {
         }
     }
 
-    @Test
-    fun `CSRF when ignoring ant matchers then CSRF disabled on matching requests`() {
-        this.spring.register(IgnoringAntMatchersConfig::class.java, BasicController::class.java).autowire()
-
-        this.mockMvc.post("/test1")
-                .andExpect {
-                    status { isForbidden() }
-                }
-
-        this.mockMvc.post("/test2")
-                .andExpect {
-                    status { isOk() }
-                }
-    }
-
-    @Configuration
-    @EnableWebSecurity
-    open class IgnoringAntMatchersConfig {
-        @Bean
-        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
-            http {
-                csrf {
-                    requireCsrfProtectionMatcher = AntPathRequestMatcher("/**")
-                    ignoringAntMatchers("/test2")
-                }
-            }
-            return http.build()
-        }
-    }
-
     @Test
     fun `CSRF when ignoring request matchers pattern then CSRF disabled on matching requests`() {
         this.spring.register(IgnoringRequestMatchersPatternConfig::class.java, BasicController::class.java).autowire()

docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc

@@ -85,9 +85,9 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	http
 		// ...
 		.authorizeRequests(authorize -> authorize                                  // <1>
-			.mvcMatchers("/resources/**", "/signup", "/about").permitAll()         // <2>
+			.requestMatchers("/resources/**", "/signup", "/about").permitAll()         // <2>
-			.mvcMatchers("/admin/**").hasRole("ADMIN")                             // <3>
+			.requestMatchers("/admin/**").hasRole("ADMIN")                             // <3>
-			.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")   // <4>
+			.requestMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")   // <4>
 			.anyRequest().denyAll()                                                // <5>
 		);
 	return http.build();

docs/modules/ROOT/pages/whats-new.adoc

@@ -26,3 +26,5 @@ You can configure a different `RequestMatcher` by using the https://docs.spring.
 If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
 If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
 Or use `use-authorization-manager="false"`
+* https://github.com/spring-projects/spring-security/issues/11939[gh-11939] - Remove deprecated `antMatchers`, `mvcMatchers`, `regexMatchers` helper methods from Java Configuration.
+Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`.

test/src/test/java/org/springframework/security/test/web/servlet/request/Sec2935Tests.java

@@ -35,6 +35,7 @@ import org.springframework.test.context.web.WebAppConfiguration;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
@@ -111,6 +112,7 @@ public class Sec2935Tests {
 
 	@EnableWebSecurity
 	@Configuration
+	@EnableWebMvc
 	static class Config {
 
 		@Bean
@@ -118,7 +120,7 @@ public class Sec2935Tests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin/**").hasRole("ADMIN")
+					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.httpBasic();

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2LoginTests.java

@@ -153,7 +153,7 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2LoginTests {
 			// @formatter:off
 			http
 				.authorizeRequests((authorize) -> authorize
-					.mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
+					.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
 					.anyRequest().hasAuthority("SCOPE_read")
 				).oauth2Login();
 			return http.build();

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java

@@ -155,7 +155,7 @@ public class SecurityMockMvcRequestPostProcessorsOidcLoginTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
+					.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
 					.anyRequest().hasAuthority("SCOPE_read")
 					.and()
 				.oauth2Login();

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOpaqueTokenTests.java

@@ -127,7 +127,7 @@ public class SecurityMockMvcRequestPostProcessorsOpaqueTokenTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
+					.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
 					.anyRequest().hasAuthority("SCOPE_read")
 					.and()
 				.oauth2ResourceServer()

test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java

@@ -99,7 +99,7 @@ public class Gh3409Tests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/public/**").permitAll()
+					.requestMatchers("/public/**").permitAll()
 					.anyRequest().authenticated()
 					.and()
 				.formLogin().and()

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/DefaultfSecurityRequestsTests.java

@@ -96,7 +96,7 @@ public class DefaultfSecurityRequestsTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin/**").hasRole("ADMIN")
+					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.httpBasic();

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/SecurityRequestsTests.java

@@ -113,7 +113,7 @@ public class SecurityRequestsTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin/**").hasRole("ADMIN")
+					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.formLogin();

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserAuthenticationTests.java

@@ -97,7 +97,7 @@ public class WithUserAuthenticationTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin/**").hasRole("ADMIN")
+					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.formLogin();

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserClassLevelAuthenticationTests.java

@@ -97,7 +97,7 @@ public class WithUserClassLevelAuthenticationTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin/**").hasRole("ADMIN")
+					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.httpBasic();

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsAuthenticationTests.java

@@ -88,7 +88,7 @@ public class WithUserDetailsAuthenticationTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin/**").hasRole("ADMIN")
+					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.formLogin();

test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsClassLevelAuthenticationTests.java

@@ -87,7 +87,7 @@ public class WithUserDetailsClassLevelAuthenticationTests {
 			// @formatter:off
 			http
 				.authorizeRequests()
-					.antMatchers("/admin/**").hasRole("ADMIN")
+					.requestMatchers("/admin/**").hasRole("ADMIN")
 					.anyRequest().authenticated()
 					.and()
 				.formLogin();

test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java

@@ -40,6 +40,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
@@ -225,7 +226,7 @@ public class WebTestUtilsTests {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.antMatcher("/willnotmatchthis");
+				.securityMatcher(new AntPathRequestMatcher("/willnotmatchthis"));
 			return http.build();
 			// @formatter:on
 		}