From 7b8ff72c4e04779a11921f0e087eef009eb0af40 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 15 Jan 2025 17:45:05 -0700
Subject: [PATCH] Fix MVC Documentation for Kotlin

Closes gh-16426
---
 .../ROOT/pages/servlet/integrations/mvc.adoc  | 30 ++++++++++---------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/docs/modules/ROOT/pages/servlet/integrations/mvc.adoc b/docs/modules/ROOT/pages/servlet/integrations/mvc.adoc
index 92223407e2..49314e8ba8 100644
--- a/docs/modules/ROOT/pages/servlet/integrations/mvc.adoc
+++ b/docs/modules/ROOT/pages/servlet/integrations/mvc.adoc
@@ -199,12 +199,10 @@ We could add additional rules for all the permutations of Spring MVC, but this w
 Fortunately, when using the `requestMatchers` DSL method, Spring Security automatically creates a `MvcRequestMatcher` if it detects that Spring MVC is available in the classpath.
 Therefore, it will protect the same URLs that Spring MVC will match on by using Spring MVC to match on the URL.
 
-One common requirement when using Spring MVC is to specify the servlet path property, for that you can use the `MvcRequestMatcher.Builder` to create multiple `MvcRequestMatcher` instances that share the same servlet path:
+One common requirement when using Spring MVC is to specify the servlet path property.
+
+For Java-based Configuration, you can use the `MvcRequestMatcher.Builder` to create multiple `MvcRequestMatcher` instances that share the same servlet path:
 
-[tabs]
-======
-Java::
-+
 [source,java,role="primary"]
 ----
 @Bean
@@ -219,32 +217,36 @@ public SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospe
 }
 ----
 
+For Kotlin and XML, this happens when you specify the servlet path for each path like so:
+
+[tabs]
+======
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
 @Bean
-open fun filterChain(http: HttpSecurity, introspector: HandlerMappingIntrospector): SecurityFilterChain {
-    val mvcMatcherBuilder = MvcRequestMatcher.Builder(introspector)
+open fun filterChain(http: HttpSecurity): SecurityFilterChain {
     http {
         authorizeHttpRequests {
-            authorize(mvcMatcherBuilder.pattern("/admin"), hasRole("ADMIN"))
-            authorize(mvcMatcherBuilder.pattern("/user"), hasRole("USER"))
+            authorize("/admin/**", "/mvc", hasRole("ADMIN"))
+            authorize("/user/**", "/mvc", hasRole("USER"))
         }
     }
     return http.build()
 }
 ----
-======
 
-The following XML has the same effect:
-
-[source,xml]
+Xml::
++
+[source,xml, role="secondary"]
 ----
 <http request-matcher="mvc">
-	<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
+	<intercept-url pattern="/admin/**" servlet-path="/mvc" access="hasRole('ADMIN')"/>
+    <intercept-url pattern="/user/**" servlet-path="/mvc" access="hasRole('USER')"/>
 </http>
 ----
+======
 
 [[mvc-authentication-principal]]
 == @AuthenticationPrincipal