diff --git a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
index 5711da0780..844d867bd1 100644
--- a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
+++ b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
@@ -205,3 +205,78 @@ open fun web(http: HttpSecurity): SecurityFilterChain {
}
----
====
+
+Now with the authorization rules applying to all dispatcher types, you have more control of the authorization on them.
+For example, you may want to configure `shouldFilterAllDispatcherTypes` to `true` but not apply authorization on requests with dispatcher type `ASYNC` or `FORWARD`.
+
+.Permit ASYNC and FORWARD dispatcher type
+====
+.Java
+[source,java,role="primary"]
+----
+@Bean
+SecurityFilterChain web(HttpSecurity http) throws Exception {
+ http
+ .authorizeHttpRequests((authorize) -> authorize
+ .shouldFilterAllDispatcherTypes(true)
+ .dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.FORWARD).permitAll()
+ .anyRequest().authenticated()
+ )
+ // ...
+
+ return http.build();
+}
+----
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun web(http: HttpSecurity): SecurityFilterChain {
+ http {
+ authorizeHttpRequests {
+ shouldFilterAllDispatcherTypes = true
+ authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC, DispatcherType.FORWARD), permitAll)
+ authorize(anyRequest, authenticated)
+ }
+ }
+ return http.build()
+}
+----
+====
+
+You can also customize it to require a specific role for a dispatcher type:
+
+.Require ADMIN for Dispatcher Type ERROR
+====
+.Java
+[source,java,role="primary"]
+----
+@Bean
+SecurityFilterChain web(HttpSecurity http) throws Exception {
+ http
+ .authorizeHttpRequests((authorize) -> authorize
+ .shouldFilterAllDispatcherTypes(true)
+ .dispatcherTypeMatchers(DispatcherType.ERROR).hasRole("ADMIN")
+ .anyRequest().authenticated()
+ )
+ // ...
+
+ return http.build();
+}
+----
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun web(http: HttpSecurity): SecurityFilterChain {
+ http {
+ authorizeHttpRequests {
+ shouldFilterAllDispatcherTypes = true
+ authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), hasRole("ADMIN"))
+ authorize(anyRequest, authenticated)
+ }
+ }
+ return http.build()
+}
+----
+====
diff --git a/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc b/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
index 0a3f829d5e..a0375d3e77 100644
--- a/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
+++ b/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
@@ -129,6 +129,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
return http.build()
}
----
+====
<1> There are multiple authorization rules specified.
Each rule is considered in the order they were declared.
<2> We specified multiple URL patterns that any user can access.
@@ -141,3 +142,42 @@ You will notice that since we are using the `hasRole` expression we do not need
This is a good strategy if you do not want to accidentally forget to update your authorization rules.
====
+
+[[filtersecurityinterceptor-every-request]]
+== Configure FilterSecurityInterceptor with Dispatcher Types
+
+By default, the `FilterSecurityInterceptor` applies to every request.
+This means that if a request is dispatched from a request that was already filtered, the `FilterSecurityInterceptor` will perform the same authorization checks on the dispatched request.
+In some scenarios, you may not want to apply authorization on some dispatcher types:
+
+.Permit ASYNC and ERROR dispatcher types
+====
+.Java
+[source,java,role="primary"]
+----
+@Bean
+SecurityFilterChain web(HttpSecurity http) throws Exception {
+ http
+ .authorizeRequests((authorize) -> authorize
+ .dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.ERROR).permitAll()
+ .anyRequest.authenticated()
+ )
+ // ...
+
+ return http.build();
+}
+----
+.XML
+[source,xml]
+----
+
+
+
+
+
+
+
+
+
+----
+====