Change the default of shouldFilterAllDispatchTypes to true

Closes gh-11107

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -118,7 +118,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 
 		private int mappingCount;
 
-		private boolean shouldFilterAllDispatcherTypes = false;
+		private boolean shouldFilterAllDispatcherTypes = true;
 
 		private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
 			setApplicationContext(context);
@@ -175,8 +175,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 
 		/**
 		 * Sets whether all dispatcher types should be filtered.
-		 * @param shouldFilter should filter all dispatcher types. Default is
-		 * {@code false}
+		 * @param shouldFilter should filter all dispatcher types. Default is {@code true}
 		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
 		 * customizations
 		 * @since 5.7

docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc

@@ -170,10 +170,10 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 ----
 ====
 
-By default, the `AuthorizationFilter` does not apply to `DispatcherType.ERROR` and `DispatcherType.ASYNC`.
-We can configure Spring Security to apply the authorization rules to all dispatcher types by using the `shouldFilterAllDispatcherTypes` method:
+By default, the `AuthorizationFilter` applies to all dispatcher types.
+We can configure Spring Security to not apply the authorization rules to all dispatcher types by using the `shouldFilterAllDispatcherTypes` method:
 
-.Set shouldFilterAllDispatcherTypes to true
+.Set shouldFilterAllDispatcherTypes to false
 ====
 .Java
 [source,java,role="primary"]
@@ -182,7 +182,7 @@ We can configure Spring Security to apply the authorization rules to all dispatc
 SecurityFilterChain web(HttpSecurity http) throws Exception {
     http
         .authorizeHttpRequests((authorize) -> authorize
-            .shouldFilterAllDispatcherTypes(true)
+            .shouldFilterAllDispatcherTypes(false)
             .anyRequest.authenticated()
         )
         // ...

web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java

@@ -50,7 +50,7 @@ public class AuthorizationFilter extends OncePerRequestFilter {
 
 	private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish;
 
-	private boolean shouldFilterAllDispatcherTypes = false;
+	private boolean shouldFilterAllDispatcherTypes = true;
 
 	/**
 	 * Creates an instance.
@@ -120,7 +120,7 @@ public class AuthorizationFilter extends OncePerRequestFilter {
 	/**
 	 * Sets whether to filter all dispatcher types.
 	 * @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default
-	 * is {@code false}
+	 * is {@code true}
 	 * @since 5.7
 	 */
 	public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {

web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java

@@ -167,7 +167,7 @@ public class AuthorizationFilterTests {
 	}
 
 	@Test
-	public void doFilterWhenErrorThenDoNotFilter() throws Exception {
+	public void doFilterWhenErrorThenDoFilter() throws Exception {
 		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
 		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
@@ -176,25 +176,25 @@ public class AuthorizationFilterTests {
 		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
 		FilterChain mockFilterChain = mock(FilterChain.class);
 
+		authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
+		verify(authorizationManager).check(any(Supplier.class), eq(mockRequest));
+	}
+
+	@Test
+	public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesFalseThenDoNotFilter() throws Exception {
+		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
+		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
+		authorizationFilter.setShouldFilterAllDispatcherTypes(false);
+		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
+		mockRequest.setDispatcherType(DispatcherType.ERROR);
+		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
+		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
+		FilterChain mockFilterChain = mock(FilterChain.class);
+
 		authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
 		verifyNoInteractions(authorizationManager);
 	}
 
-	@Test
-	public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesThenFilter() throws Exception {
-		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
-		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
-		authorizationFilter.setShouldFilterAllDispatcherTypes(true);
-		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
-		mockRequest.setDispatcherType(DispatcherType.ERROR);
-		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
-		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
-		FilterChain mockFilterChain = mock(FilterChain.class);
-
-		authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
-		verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
-	}
-
 	@Test
 	public void doFilterNestedErrorDispatchWhenAuthorizationManagerThenUses() throws Exception {
 		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);