From 185991a60617f223bbde4631df6fa2c86e5a10f2 Mon Sep 17 00:00:00 2001
From: Joe Grandja <jgrandja@vmware.com>
Date: Thu, 13 Oct 2022 06:18:00 -0400
Subject: [PATCH] Revert "Add default AuthorizationManager"

This reverts commit 4ddec07d0e13c2fe994a8720e22215402d49edd5.
---
 ...MatcherDelegatingAuthorizationManager.java | 23 ++-----------------
 ...erDelegatingAuthorizationManagerTests.java | 19 ---------------
 2 files changed, 2 insertions(+), 40 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java b/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
index e1116c2150..e19285c1ef 100644
--- a/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
@@ -49,8 +49,6 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
 
 	private final List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings;
 
-	private AuthorizationManager<RequestAuthorizationContext> defaultManager = (authentication, request) -> null;
-
 	private RequestMatcherDelegatingAuthorizationManager(
 			List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings) {
 		Assert.notEmpty(mappings, "mappings cannot be empty");
@@ -84,10 +82,8 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
 						new RequestAuthorizationContext(request, matchResult.getVariables()));
 			}
 		}
-		if (this.logger.isTraceEnabled()) {
-			this.logger.trace(LogMessage.format("Checking authorization on %s using %s", request, this.defaultManager));
-		}
-		return this.defaultManager.check(authentication, new RequestAuthorizationContext(request));
+		this.logger.trace("Abstaining since did not find matching RequestMatcher");
+		return null;
 	}
 
 	/**
@@ -98,21 +94,6 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
 		return new Builder();
 	}
 
-	/**
-	 * Use this {@link AuthorizationManager} if the request fails to match any other
-	 * configured {@link AuthorizationManager}.
-	 *
-	 * <p>
-	 * This is specifically handy when considering whether to accept or deny requests by
-	 * default. The default is to abstain from deciding on requests that don't match
-	 * configuration.
-	 * @param authorizationManager the {@link AuthorizationManager} to use
-	 * @since 5.8
-	 */
-	public void setDefaultAuthorizationManager(AuthorizationManager<RequestAuthorizationContext> authorizationManager) {
-		this.defaultManager = authorizationManager;
-	}
-
 	/**
 	 * A builder for {@link RequestMatcherDelegatingAuthorizationManager}.
 	 */
diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
index 340b2b5bc9..624a6ecee8 100644
--- a/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
@@ -24,7 +24,6 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
@@ -32,10 +31,6 @@ import org.springframework.security.web.util.matcher.RequestMatcherEntry;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.BDDMockito.given;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
 
 /**
  * Tests for {@link RequestMatcherDelegatingAuthorizationManager}.
@@ -120,20 +115,6 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
 		assertThat(unmapped.isGranted()).isFalse();
 	}
 
-	@Test
-	public void checkWhenNoMatchesThenUsesDefaultAuthorizationManager() {
-		RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()
-				.add((request) -> false, (authentication, context) -> new AuthorizationDecision(false)).build();
-		AuthorizationManager<RequestAuthorizationContext> defaultManager = mock(AuthorizationManager.class);
-		given(defaultManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
-		manager.setDefaultAuthorizationManager(defaultManager);
-		Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password");
-		AuthorizationDecision decision = manager.check(authentication, new MockHttpServletRequest(null, "/endpoint"));
-		assertThat(decision).isNotNull();
-		assertThat(decision.isGranted()).isTrue();
-		verify(defaultManager).check(any(), any());
-	}
-
 	@Test
 	public void addWhenMappingsConsumerNullThenException() {
 		assertThatIllegalArgumentException()