From 5ae1b73bae7db20c847883ccf80c8b783755b82d Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 7 Jul 2025 10:32:56 -0600
Subject: [PATCH] Fix Cyclic Bean Dependency

Closes gh-17484
---
 .../web/configuration/EnableWebSecurity.java  |  2 +-
 .../WebSecurityConfiguration.java             |  8 ------
 .../configuration/EnableWebSecurityTests.java | 26 +++++++++++++++++++
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
index 49ac91307d..42d0cdd64f 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
@@ -83,7 +83,7 @@ import org.springframework.security.web.SecurityFilterChain;
 @Target(ElementType.TYPE)
 @Documented
 @Import({ WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class,
-		HttpSecurityConfiguration.class, ObservationImportSelector.class })
+		HttpSecurityConfiguration.class, ObservationImportSelector.class, AuthorizationConfiguration.class })
 @EnableGlobalAuthentication
 public @interface EnableWebSecurity {
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
index 41bd042f75..a3befc654f 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
@@ -42,7 +42,6 @@ import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.DependsOn;
-import org.springframework.context.annotation.Fallback;
 import org.springframework.context.annotation.ImportAware;
 import org.springframework.core.OrderComparator;
 import org.springframework.core.Ordered;
@@ -58,7 +57,6 @@ import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor;
-import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.FilterChainProxy;
@@ -144,12 +142,6 @@ public class WebSecurityConfiguration implements ImportAware {
 		return this.webSecurity.getPrivilegeEvaluator();
 	}
 
-	@Bean
-	@Fallback
-	public PathPatternRequestMatcherBuilderFactoryBean pathPatternRequestMatcherBuilder() {
-		return new PathPatternRequestMatcherBuilderFactoryBean();
-	}
-
 	/**
 	 * Sets the {@code <SecurityConfigurer<FilterChainProxy, WebSecurityBuilder>}
 	 * instances used to create the web configuration.
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java
index 1a2734775f..ba497c45a5 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java
@@ -36,6 +36,7 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -111,6 +112,15 @@ public class EnableWebSecurityTests {
 		assertThat(parentBean.getChild()).isNotSameAs(childBean);
 	}
 
+	// gh-17484
+	@Test
+	void configureWhenEnableWebSecuritySeparateFromSecurityFilterChainThenWires() {
+		try (AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext()) {
+			context.register(TestConfiguration.class, EnableWebSecurityConfiguration.class);
+			context.refresh();
+		}
+	}
+
 	@Configuration
 	@EnableWebMvc
 	@EnableWebSecurity(debug = true)
@@ -226,4 +236,20 @@ public class EnableWebSecurityTests {
 
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	static class TestConfiguration {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			return http.build();
+		}
+
+	}
+
+	@EnableWebSecurity
+	@Configuration(proxyBeanMethods = false)
+	static class EnableWebSecurityConfiguration {
+
+	}
+
 }