Allow configuration of authorize requests through nested builder

Issue: gh-5557

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -548,9 +548,10 @@ public final class HttpSecurity extends
 	 * 	@Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.anyRequest().hasRole("USER")
-	 * 				.and()
+	 * 			)
 	 * 			.formLogin(formLogin ->
 	 * 				formLogin
 	 * 					.permitAll()
@@ -769,9 +770,10 @@ public final class HttpSecurity extends
 	 * 	@Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers("/**").hasRole("USER")
-	 * 				.and()
+	 * 			)
 	 * 			.jee(jee ->
 	 * 				jee
 	 * 					.mappableRoles("USER", "ADMIN")
@@ -878,10 +880,10 @@ public final class HttpSecurity extends
 	 * 	@Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.antMatchers("/**")
-	 * 				.hasRole("USER")
-	 * 				.and()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.antMatchers("/**").hasRole("USER")
+	 * 			)
 	 * 			.x509(withDefaults());
 	 * 	}
 	 * }
@@ -952,9 +954,10 @@ public final class HttpSecurity extends
 	 * 	@Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers("/**").hasRole("USER")
-	 * 				.and()
+	 * 			)
 	 * 			.formLogin(withDefaults())
 	 * 			.rememberMe(withDefaults());
 	 * 	}
@@ -1042,6 +1045,91 @@ public final class HttpSecurity extends
 				.getRegistry();
 	}
 
+	/**
+	 * Allows restricting access based upon the {@link HttpServletRequest} using
+	 * {@link RequestMatcher} implementations (i.e. via URL patterns).
+	 *
+	 * <h2>Example Configurations</h2>
+	 *
+	 * The most basic example is to configure all URLs to require the role "ROLE_USER".
+	 * The configuration below requires authentication to every URL and will grant access
+	 * to both the user "admin" and "user".
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	&#064;Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			)
+	 * 			.formLogin(withDefaults());
+	 * 	}
+	 * }
+	 * </pre>
+	 *
+	 * We can also configure multiple URLs. The configuration below requires
+	 * authentication to every URL and will grant access to URLs starting with /admin/ to
+	 * only the "admin" user. All other URLs either user can access.
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	&#064;Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			)
+	 * 			.formLogin(withDefaults());
+	 * 	}
+	 * }
+	 * </pre>
+	 *
+	 * Note that the matchers are considered in order. Therefore, the following is invalid
+	 * because the first matcher matches every request and will never get to the second
+	 * mapping:
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	&#064;Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		 http
+	 * 		 	.authorizeRequests(authorizeRequests ->
+	 * 		 		authorizeRequests
+	 * 			 		.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			 		.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 		 	);
+	 * 	}
+	 * }
+	 * </pre>
+	 *
+	 * @see #requestMatcher(RequestMatcher)
+	 *
+	 * @param authorizeRequestsCustomizer the {@link Customizer} to provide more options for
+	 * the {@link ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry}
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 */
+	public HttpSecurity authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer)
+			throws Exception {
+		ApplicationContext context = getContext();
+		authorizeRequestsCustomizer.customize(getOrApply(new ExpressionUrlAuthorizationConfigurer<>(context))
+				.getRegistry());
+		return HttpSecurity.this;
+	}
+
 	/**
 	 * Allows configuring the Request Cache. For example, a protected page (/protected)
 	 * may be requested prior to authentication. The application will redirect the user to
@@ -1075,9 +1163,10 @@ public final class HttpSecurity extends
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
+	 * 			)
 	 * 			.requestCache(requestCache ->
 	 * 				requestCache.disable()
 	 * 			);
@@ -1124,9 +1213,10 @@ public final class HttpSecurity extends
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
+	 * 			)
 	 * 			// sample exception handling customization
 	 * 			.exceptionHandling(exceptionHandling ->
 	 * 				exceptionHandling
@@ -1288,9 +1378,10 @@ public final class HttpSecurity extends
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
+	 * 			)
 	 * 			.formLogin(withDefaults())
 	 * 			// sample logout customization
 	 * 			.logout(logout ->
@@ -1460,9 +1551,10 @@ public final class HttpSecurity extends
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
+	 * 			)
 	 * 			.formLogin(withDefaults());
 	 * 	}
 	 * }
@@ -1478,9 +1570,10 @@ public final class HttpSecurity extends
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
+	 * 			)
 	 * 			.formLogin(formLogin ->
 	 * 				formLogin
 	 * 					.usernameParameter(&quot;username&quot;)
@@ -1717,9 +1810,10 @@ public final class HttpSecurity extends
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests()
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
 	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 				.and()
+	 * 			)
 	 * 			.httpBasic(withDefaults());
 	 * 	}
 	 * }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,6 +49,7 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.spy;
+import static org.springframework.security.config.Customizer.withDefaults;
 
 /**
  * @author Rob Winch
@@ -113,6 +114,39 @@ public class AuthorizeRequestsTests {
 		}
 	}
 
+	@Test
+	public void postWhenPostDenyAllInLambdaThenRespondsWithForbidden() throws Exception {
+		loadConfig(AntMatchersNoPatternsInLambdaConfig.class);
+		this.request.setMethod("POST");
+
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	static class AntMatchersNoPatternsInLambdaConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
+						.antMatchers(HttpMethod.POST).denyAll()
+				);
+			// @formatter:on
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			// @formatter:off
+			auth
+				.inMemoryAuthentication();
+			// @formatter:on
+		}
+	}
+
 	// SEC-2256
 	@Test
 	public void antMatchersPathVariables() throws Exception {
@@ -314,6 +348,66 @@ public class AuthorizeRequestsTests {
 		}
 	}
 
+	@Test
+	public void requestWhenMvcMatcherDenyAllThenRespondsWithUnauthorized() throws Exception {
+		loadConfig(MvcMatcherInLambdaConfig.class);
+
+		this.request.setRequestURI("/path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus())
+				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+		setup();
+
+		this.request.setRequestURI("/path.html");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus())
+				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+		setup();
+
+		this.request.setServletPath("/path/");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus())
+				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	@EnableWebMvc
+	static class MvcMatcherInLambdaConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.httpBasic(withDefaults())
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
+						.mvcMatchers("/path").denyAll()
+				);
+			// @formatter:on
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			// @formatter:off
+			auth
+				.inMemoryAuthentication();
+			// @formatter:on
+		}
+
+		@RestController
+		static class PathController {
+			@RequestMapping("/path")
+			public String path() {
+				return "path";
+			}
+		}
+	}
+
 	@Test
 	public void mvcMatcherServletPath() throws Exception {
 		loadConfig(MvcMatcherServletPathConfig.class);
@@ -391,6 +485,85 @@ public class AuthorizeRequestsTests {
 		}
 	}
 
+	@Test
+	public void requestWhenMvcMatcherServletPathDenyAllThenMatchesOnServletPath() throws Exception {
+		loadConfig(MvcMatcherServletPathInLambdaConfig.class);
+
+		this.request.setServletPath("/spring");
+		this.request.setRequestURI("/spring/path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus())
+				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+		setup();
+
+		this.request.setServletPath("/spring");
+		this.request.setRequestURI("/spring/path.html");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus())
+				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+		setup();
+
+		this.request.setServletPath("/spring");
+		this.request.setRequestURI("/spring/path/");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus())
+				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+		setup();
+
+		this.request.setServletPath("/foo");
+		this.request.setRequestURI("/foo/path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+
+		setup();
+
+		this.request.setServletPath("/");
+		this.request.setRequestURI("/path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	@EnableWebMvc
+	static class MvcMatcherServletPathInLambdaConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.httpBasic(withDefaults())
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
+						.mvcMatchers("/path").servletPath("/spring").denyAll()
+				);
+			// @formatter:on
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			// @formatter:off
+			auth
+				.inMemoryAuthentication();
+			// @formatter:on
+		}
+
+		@RestController
+		static class PathController {
+			@RequestMapping("/path")
+			public String path() {
+				return "path";
+			}
+		}
+	}
+
 	@Test
 	public void mvcMatcherPathVariables() throws Exception {
 		loadConfig(MvcMatcherPathVariablesConfig.class);
@@ -441,6 +614,58 @@ public class AuthorizeRequestsTests {
 		}
 	}
 
+	@Test
+	public void requestWhenMvcMatcherPathVariablesThenMatchesOnPathVariables() throws Exception {
+		loadConfig(MvcMatcherPathVariablesInLambdaConfig.class);
+
+		this.request.setRequestURI("/user/user");
+
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+
+		this.setup();
+		this.request.setRequestURI("/user/deny");
+
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus())
+				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	@EnableWebMvc
+	static class MvcMatcherPathVariablesInLambdaConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.httpBasic(withDefaults())
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
+						.mvcMatchers("/user/{userName}").access("#userName == 'user'")
+				);
+			// @formatter:on
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			// @formatter:off
+			auth
+				.inMemoryAuthentication();
+			// @formatter:on
+		}
+
+		@RestController
+		static class PathController {
+			@RequestMapping("/path")
+			public String path() {
+				return "path";
+			}
+		}
+	}
+
 	@EnableWebSecurity
 	@Configuration
 	@EnableWebMvc

config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java

@@ -162,9 +162,10 @@ public class CorsConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.cors(withDefaults());
 			// @formatter:on
 		}
@@ -261,9 +262,10 @@ public class CorsConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.cors(withDefaults());
 			// @formatter:on
 		}
@@ -359,9 +361,10 @@ public class CorsConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.cors(withDefaults());
 			// @formatter:on
 		}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java

@@ -109,9 +109,10 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().denyAll()
-					.and()
+				)
 				.exceptionHandling(exceptionHandling ->
 					exceptionHandling
 						.defaultAccessDeniedHandlerFor(

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -254,9 +254,10 @@ public class FormLoginConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.formLogin(withDefaults());
 			// @formatter:on
 		}
@@ -387,9 +388,10 @@ public class FormLoginConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.formLogin(formLogin ->
 					formLogin
 						.loginPage("/authenticate")
@@ -458,9 +460,10 @@ public class FormLoginConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.formLogin(formLogin ->
 					formLogin
 						.loginProcessingUrl("/loginCheck")

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java

@@ -107,9 +107,10 @@ public class HttpBasicConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.httpBasic(withDefaults());
 			// @formatter:on
 		}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java

@@ -151,9 +151,10 @@ public class JeeConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.jee(jee ->
 					jee
 						.mappableRoles("USER")
@@ -185,9 +186,10 @@ public class JeeConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.jee(jee ->
 					jee
 						.mappableAuthorities("ROLE_USER")
@@ -226,9 +228,10 @@ public class JeeConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.jee(jee ->
 					jee
 						.authenticatedUserDetailsService(authenticationUserDetailsService)

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java

@@ -125,9 +125,10 @@ public class NamespaceHttpBasicTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.httpBasic(withDefaults());
 			// @formatter:on
 		}
@@ -174,9 +175,10 @@ public class NamespaceHttpBasicTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.httpBasic(httpBasicConfig -> httpBasicConfig.realmName("Custom Realm"));
 			// @formatter:on
 		}
@@ -310,9 +312,10 @@ public class NamespaceHttpBasicTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.httpBasic(httpBasicConfig ->
 						httpBasicConfig.authenticationEntryPoint(this.authenticationEntryPoint));
 			// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java

@@ -98,9 +98,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().denyAll()
-					.and()
+				)
 				.exceptionHandling(exceptionHandling ->
 					exceptionHandling.accessDeniedPage("/AccessDeniedPageConfig")
 				);
@@ -152,9 +153,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().denyAll()
-					.and()
+				)
 				.exceptionHandling(exceptionHandling ->
 						exceptionHandling.accessDeniedHandler(accessDeniedHandler())
 				);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java

@@ -320,9 +320,10 @@ public class RememberMeConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.formLogin(withDefaults())
 				.rememberMe(withDefaults());
 			// @formatter:on
@@ -394,9 +395,10 @@ public class RememberMeConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().hasRole("USER")
-					.and()
+				)
 				.formLogin(withDefaults())
 				.rememberMe(rememberMe ->
 					rememberMe

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java

@@ -291,9 +291,10 @@ public class RequestCacheConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.formLogin(withDefaults())
 				.requestCache(RequestCacheConfigurer::disable);
 			// @formatter:on
@@ -318,9 +319,10 @@ public class RequestCacheConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.formLogin(withDefaults())
 				.requestCache(withDefaults());
 			// @formatter:on
@@ -345,9 +347,10 @@ public class RequestCacheConfigurerTests {
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests()
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests
 						.anyRequest().authenticated()
-					.and()
+				)
 				.formLogin(withDefaults())
 				.requestCache(requestCache ->
 					requestCache