Remove FilterSecurityInterceptor from WebSecurity

Closes gh-11325

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -95,8 +95,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	private IgnoredRequestConfigurer ignoredRequestRegistry;
 
-	private FilterSecurityInterceptor filterSecurityInterceptor;
-
 	private HttpFirewall httpFirewall;
 
 	private RequestRejectedHandler requestRejectedHandler;
@@ -211,8 +209,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	/**
 	 * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is not
-	 * specified, then a {@link DefaultWebInvocationPrivilegeEvaluator} will be created
+	 * specified, then a {@link RequestMatcherDelegatingWebInvocationPrivilegeEvaluator}
-	 * when {@link #securityInterceptor(FilterSecurityInterceptor)} is non null.
+	 * will be created based on the list of {@link SecurityFilterChain}.
 	 * @param privilegeEvaluator the {@link WebInvocationPrivilegeEvaluator} to use
 	 * @return the {@link WebSecurity} for further customizations
 	 */
@@ -246,26 +244,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 	 * @return the {@link WebInvocationPrivilegeEvaluator} for further customizations
 	 */
 	public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() {
-		if (this.privilegeEvaluator != null) {
 		return this.privilegeEvaluator;
 	}
-		return (this.filterSecurityInterceptor != null)
-				? new DefaultWebInvocationPrivilegeEvaluator(this.filterSecurityInterceptor) : null;
-	}
-
-	/**
-	 * Sets the {@link FilterSecurityInterceptor}. This is typically invoked by
-	 * {@link WebSecurityConfiguration#springSecurityFilterChain()}.
-	 * @param securityInterceptor the {@link FilterSecurityInterceptor} to use
-	 * @return the {@link WebSecurity} for further customizations
-	 * @deprecated Use {@link #privilegeEvaluator(WebInvocationPrivilegeEvaluator)}
-	 * instead
-	 */
-	@Deprecated
-	public WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor) {
-		this.filterSecurityInterceptor = securityInterceptor;
-		return this;
-	}
 
 	/**
 	 * Executes the Runnable immediately after the build takes place

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -47,7 +47,6 @@ import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 import org.springframework.util.Assert;
 
@@ -112,12 +111,6 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 		}
 		for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
 			this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
-			for (Filter filter : securityFilterChain.getFilters()) {
-				if (filter instanceof FilterSecurityInterceptor) {
-					this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
-					break;
-				}
-			}
 		}
 		for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {
 			customizer.customize(this.webSecurity);

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java

@@ -61,7 +61,6 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 import org.springframework.util.Assert;
 import org.springframework.util.ReflectionUtils;
@@ -317,10 +316,7 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
 	@Override
 	public void init(WebSecurity web) throws Exception {
 		HttpSecurity http = getHttp();
-		web.addSecurityFilterChainBuilder(http).postBuildAction(() -> {
+		web.addSecurityFilterChainBuilder(http);
-			FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);
-			web.securityInterceptor(securityInterceptor);
-		});
 	}
 
 	/**