Enable Null checking in spring-security-web via JSpecify

Closes gh-16882

.github/dco.yml

@@ -0,0 +1,2 @@
+require:
+  members: false

.github/dependabot.yml

@@ -3,9 +3,12 @@ registries:
   spring-milestones:
     type: maven-repository
     url: https://repo.spring.io/milestone
+  shibboleth:
+    type: maven-repository
+    url: https://build.shibboleth.net/maven/releases
 updates:
   - package-ecosystem: gradle
-    target-branch: 6.3.x
+    target-branch: 6.5.x
     directory: /
     schedule:
       interval: daily
@@ -15,10 +18,12 @@ updates:
       - 'type: dependency-upgrade'
     registries:
       - spring-milestones
+      - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
       - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
       - dependency-name: org.junit:junit-bom
         update-types:
           - version-update:semver-major
@@ -29,6 +34,34 @@ updates:
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
+  - package-ecosystem: gradle
+    target-branch: 6.4.x
+    directory: /
+    schedule:
+      interval: daily
+      time: '03:00'
+      timezone: Etc/UTC
+    labels:
+      - 'type: dependency-upgrade'
+    registries:
+      - spring-milestones
+      - shibboleth
+    ignore:
+      - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: org.python:jython
+      - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
+      - dependency-name: org.junit:junit-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: org.mockito:mockito-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+
   - package-ecosystem: gradle
     target-branch: main
     directory: /
@@ -40,10 +73,12 @@ updates:
       - 'type: dependency-upgrade'
     registries:
       - spring-milestones
+      - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
       - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
       - dependency-name: org.junit:junit-bom
         update-types:
           - version-update:semver-major
@@ -57,31 +92,7 @@ updates:
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
-
-  - package-ecosystem: github-actions
-    target-branch: 6.3.x
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-  - package-ecosystem: github-actions
-    target-branch: main
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-  - package-ecosystem: github-actions
-    target-branch: docs-build
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
+          - version-update:semver-minor
 
   - package-ecosystem: npm
     target-branch: docs-build

.github/workflows/check-snapshots.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  schedule:
+    - cron: '0 10 * * *' # Once per day at 10am UTC
+  workflow_dispatch: # Manual trigger
+
+env:
+  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+
+permissions:
+  contents: read
+
+jobs:
+  snapshot-test:
+    name: Test Against Snapshots
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
+    strategy:
+      matrix:
+        include:
+          - java-version: 21-ea
+            toolchain: 21
+          - java-version: 17
+            toolchain: 17
+    with:
+      java-version: ${{ matrix.java-version }}
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
+    secrets: inherit
+  send-notification:
+    name: Send Notification
+    needs: [ snapshot-test ]
+    if: ${{ !success() }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Notification
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
+        with:
+          webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/continuous-integration-workflow.yml

@@ -27,60 +27,24 @@ jobs:
       java-version: ${{ matrix.jdk }}
       distribution: temurin
     secrets: inherit
-  test:
-    name: Test Against Snapshots
-    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
-    strategy:
-      matrix:
-        include:
-          - java-version: 21-ea
-            toolchain: 21
-          - java-version: 17
-            toolchain: 17
-    with:
-      java-version: ${{ matrix.java-version }}
-      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=6.2.+ -PreactorVersion=2023.0.+ -PspringDataVersion=2024.0.+ --stacktrace
-    secrets: inherit
-  check-samples:
-    name: Check Samples
-    runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'spring-projects' }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: 17
-          distribution: temurin
-      - name: Check samples project
-        env:
-          LOCAL_REPOSITORY_PATH: ${{ github.workspace }}/build/publications/repos
-          SAMPLES_DIR: ../spring-security-samples
-        run: |
-          # Extract version from gradle.properties
-          version=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
-          # Extract samplesBranch from gradle.properties
-          samples_branch=$(cat gradle.properties | grep "samplesBranch=" | awk -F'=' '{print $2}')
-          ./gradlew publishMavenJavaPublicationToLocalRepository
-          ./gradlew cloneRepository -PrepositoryName="spring-projects/spring-security-samples" -Pref="$samples_branch" -PcloneOutputDirectory="$SAMPLES_DIR"
-          ./gradlew --refresh-dependencies --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$version" test integrationTest
   deploy-artifacts:
     name: Deploy Artifacts
-    needs: [ build, test, check-samples ]
+    needs: [ build]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
+      default-publish-milestones-central: true
     secrets: inherit
   deploy-docs:
     name: Deploy Docs
-    needs: [ build, test, check-samples ]
+    needs: [ build ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
     with:
       should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
-    needs: [ build, test, check-samples ]
+    needs: [ build ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
@@ -92,7 +56,7 @@ jobs:
     with:
       should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}
       project-version: ${{ needs.deploy-artifacts.outputs.project-version }}
-      milestone-repo-url: https://repo.spring.io/artifactory/milestone
+      milestone-repo-url: https://repo1.maven.org/maven2
       release-repo-url: https://repo1.maven.org/maven2
       artifact-path: org/springframework/security/spring-security-core
       slack-announcing-id: spring-security-announcing

.github/workflows/gradle-wrapper-upgrade-execution.yml

@@ -26,7 +26,7 @@ jobs:
           java-version: '17'
           distribution: 'temurin'
       - name: Set up Gradle
-        uses: gradle/gradle-build-action@v3
+        uses: gradle/gradle-build-action@v2
       - name: Upgrade Wrappers
         run: ./gradlew clean upgradeGradleWrapperAll --continue -Porg.gradle.java.installations.auto-download=false
         env:

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.3.x, 6.2.x, 5.8.x ]
+        branch: [ main, 6.5.x, 6.4.x, 6.3.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

CONTRIBUTING.adoc

@@ -79,7 +79,10 @@ See https://github.com/spring-projects/spring-security/tree/main#building-from-s
 
 The wiki pages https://github.com/spring-projects/spring-framework/wiki/Code-Style[Code Style] and https://github.com/spring-projects/spring-framework/wiki/IntelliJ-IDEA-Editor-Settings[IntelliJ IDEA Editor Settings] define the source file coding standards we use along with some IDEA editor settings we customize.
 
-To format the code as well as check the style, run `./gradlew format check`.
+Additionally, since Streams are https://github.com/spring-projects/spring-security/issues/7154[much slower] than `for` loops, please use them judiciously.
+The team may ask you to change to a `for` loop if the given code is along a hot path.
+
+To format the code as well as check the style, run `./gradlew format && ./gradlew check`.
 
 [[submit-a-pull-request]]
 === Submit a Pull Request
@@ -89,41 +92,30 @@ We are excited for your pull request! :heart:
 Please do your best to follow these steps.
 Don't worry if you don't get them all correct the first time, we will help you.
 
-[[sign-cla]]
-1. If you have not previously done so, please sign the https://cla.spring.io/sign/spring[Contributor License Agreement].
-You will be reminded automatically when you submit the PR.
-[[create-an-issue]]
-1. Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
+1. [[sign-cla]] All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin.
+For additional details, please refer to the blog post https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring[Hello DCO, Goodbye CLA: Simplifying Contributions to Spring].
+2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
 For typos and straightforward bug fixes, starting with a pull request is encouraged.
 Please include a description for context and motivation.
 Note that the team may close your pull request if it's not a fit for the project.
-[[choose-a-branch]]
-1. Always check out the branch indicated in the milestone and submit pull requests against it (for example, for milestone `5.8.3` use the `5.8.x` branch).
+3. [[choose-a-branch]] Always check out the branch indicated in the milestone and submit pull requests against it (for example, for milestone `5.8.3` use the `5.8.x` branch).
 If there is no milestone, choose `main`.
 Once merged, the fix will be forwarded-ported to applicable branches including `main`.
-[[create-a-local-branch]]
-1. Create a local branch
+4. [[create-a-local-branch]] Create a local branch
 If this is for an issue, consider a branch name with the issue number, like `gh-22276`.
-[[write-tests]]
-1. Add documentation and JUnit Tests for your changes.
-[[update-copyright]]
-1. In all files you edited, if the copyright header is of the form 2002-20xx, update the final copyright year to the current year.
-[[add-since]]
-1. If on `main`, add `@since` JavaDoc attributes to new public APIs that your PR adds
-[[change-rnc]]
-1. If you are updating the XSD, please instead update the RNC file and then run `./gradlew :spring-security-config:rncToXsd`.
-[[format-code]]
-1. For each commit, build the code using `./gradlew format check`.
+5. [[write-tests]] Add documentation and JUnit Tests for your changes.
+6. [[update-copyright]] In all files you edited, if the copyright header is of the form 2002-20xx, update the final copyright year to the current year.
+7. [[add-since]] If on `main`, add `@since` JavaDoc attributes to new public APIs that your PR adds
+8. [[change-rnc]] If you are updating the XSD, please instead update the RNC file and then run `./gradlew :spring-security-config:rncToXsd`.
+9. [[format-code]] For each commit, build the code using `./gradlew format && ./gradlew check`.
 This command ensures the code meets most of <<code-style,the style guide>>; a notable exception is import order.
-[[commit-atomically]]
-1. Choose the granularity of your commits consciously and squash commits that represent
+10. [[commit-atomically]] Choose the granularity of your commits consciously and squash commits that represent
 multiple edits or corrections of the same logical change.
 See https://git-scm.com/book/en/Git-Tools-Rewriting-History[Rewriting History section of Pro Git] for an overview of streamlining the commit history.
-[[format-commit-messages]]
-1. Format commit messages using 55 characters for the subject line, 72 characters per line
+11. [[format-commit-messages]] Format commit messages using 55 characters for the subject line, 72 characters per line
 for the description, followed by the issue fixed, for example, `Closes gh-22276`.
 See the https://git-scm.com/book/en/Distributed-Git-Contributing-to-a-Project#Commit-Guidelines[Commit Guidelines section of Pro Git] for best practices around commit messages, and use `git log` to see some examples.
-Present tense is preferred.
+Favor imperative tense over present tense (use "Fix" instead of "Fixes"); avoid past tense (use "Fix" instead of "Fixed").
 +
 [indent=0]
 ----

acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java

@@ -96,7 +96,11 @@ import org.springframework.util.StringUtils;
  * All comparisons and prefixes are case sensitive.
  *
  * @author Ben Alex
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")}
  */
+@Deprecated
 public class AclEntryVoter extends AbstractAclVoter {
 
 	private static final Log logger = LogFactory.getLog(AclEntryVoter.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/AbstractAclProvider.java

@@ -20,6 +20,7 @@ import java.util.List;
 
 import org.springframework.security.access.AfterInvocationProvider;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.domain.ObjectIdentityRetrievalStrategyImpl;
 import org.springframework.security.acls.domain.SidRetrievalStrategyImpl;
 import org.springframework.security.acls.model.Acl;
@@ -39,7 +40,11 @@ import org.springframework.util.ObjectUtils;
  * services.
  *
  * @author Ben Alex
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostAuthorize("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public abstract class AbstractAclProvider implements AfterInvocationProvider {
 
 	protected final AclService aclService;

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java

@@ -26,6 +26,7 @@ import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.model.AclService;
 import org.springframework.security.acls.model.Permission;
 import org.springframework.security.core.Authentication;
@@ -62,7 +63,11 @@ import org.springframework.security.core.Authentication;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostFilter("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public class AclEntryAfterInvocationCollectionFilteringProvider extends AbstractAclProvider {
 
 	protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationCollectionFilteringProvider.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java

@@ -27,6 +27,7 @@ import org.springframework.context.MessageSourceAware;
 import org.springframework.context.support.MessageSourceAccessor;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.model.AclService;
 import org.springframework.security.acls.model.Permission;
 import org.springframework.security.core.Authentication;
@@ -59,7 +60,12 @@ import org.springframework.security.core.SpringSecurityMessageSource;
  * granted and <code>null</code> will be returned.
  * <p>
  * All comparisons and prefixes are case sensitive.
+ *
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostAuthorize("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements MessageSourceAware {
 
 	protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationProvider.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/ArrayFilterer.java

@@ -32,7 +32,9 @@ import org.springframework.core.log.LogMessage;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please see {@code PostFilter}
  */
+@Deprecated
 class ArrayFilterer<T> implements Filterer<T> {
 
 	protected static final Log logger = LogFactory.getLog(ArrayFilterer.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/CollectionFilterer.java

@@ -31,7 +31,9 @@ import org.springframework.core.log.LogMessage;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please see {@code PostFilter}
  */
+@Deprecated
 class CollectionFilterer<T> implements Filterer<T> {
 
 	protected static final Log logger = LogFactory.getLog(CollectionFilterer.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/Filterer.java

@@ -23,7 +23,9 @@ import java.util.Iterator;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please use {@code PreFilter} and {@code @PostFilter} instead
  */
+@Deprecated
 interface Filterer<T> extends Iterable<T> {
 
 	/**

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcAclService.java

@@ -100,8 +100,8 @@ public class JdbcAclService implements AclService {
 	@Override
 	public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
 		Object[] args = { parentIdentity.getIdentifier().toString(), parentIdentity.getType() };
-		List<ObjectIdentity> objects = this.jdbcOperations.query(this.findChildrenSql, args,
-				(rs, rowNum) -> mapObjectIdentityRow(rs));
+		List<ObjectIdentity> objects = this.jdbcOperations.query(this.findChildrenSql,
+				(rs, rowNum) -> mapObjectIdentityRow(rs), args);
 		return (!objects.isEmpty()) ? objects : null;
 	}
 

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java

@@ -190,8 +190,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @return the primary key or null if not found
 	 */
 	protected Long createOrRetrieveClassPrimaryKey(String type, boolean allowCreate, Class idType) {
-		List<Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, new Object[] { type },
-				Long.class);
+		List<Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, Long.class, type);
 
 		if (!classIds.isEmpty()) {
 			return classIds.get(0);
@@ -242,8 +241,8 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @return the primary key or null if not found
 	 */
 	protected Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal, boolean allowCreate) {
-		List<Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey,
-				new Object[] { sidIsPrincipal, sidName }, Long.class);
+		List<Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey, Long.class, sidIsPrincipal,
+				sidName);
 		if (!sidIds.isEmpty()) {
 			return sidIds.get(0);
 		}

acl/src/test/java/org/springframework/security/acls/jdbc/JdbcAclServiceTests.java

@@ -109,7 +109,7 @@ public class JdbcAclServiceTests {
 		List<ObjectIdentity> result = new ArrayList<>();
 		result.add(new ObjectIdentityImpl(Object.class, "5577"));
 		Object[] args = { "1", "org.springframework.security.acls.jdbc.JdbcAclServiceTests$MockLongIdDomainObject" };
-		given(this.jdbcOperations.query(anyString(), eq(args), any(RowMapper.class))).willReturn(result);
+		given(this.jdbcOperations.query(anyString(), any(RowMapper.class), eq(args))).willReturn(result);
 		ObjectIdentity objectIdentity = new ObjectIdentityImpl(MockLongIdDomainObject.class, 1L);
 		List<ObjectIdentity> objectIdentities = this.aclService.findChildren(objectIdentity);
 		assertThat(objectIdentities).hasSize(1);

buildSrc/build.gradle

@@ -1,5 +1,6 @@
 plugins {
 	id "java-gradle-plugin"
+	id "groovy-gradle-plugin"
 	id "java"
 	id "groovy"
 }
@@ -63,6 +64,7 @@ configurations {
 dependencies {
 	implementation platform(libs.io.projectreactor.reactor.bom)
 
+	implementation libs.spring.nullability
 	implementation libs.com.google.code.gson.gson
 	implementation libs.com.thaiopensource.trag
 	implementation libs.net.sourceforge.saxon.saxon
@@ -76,6 +78,7 @@ dependencies {
 	implementation libs.com.github.spullara.mustache.java.compiler
 	implementation libs.io.spring.javaformat.spring.javaformat.gradle.plugin
 	implementation libs.io.spring.nohttp.nohttp.gradle
+	implementation libs.org.jetbrains.kotlin.kotlin.gradle.plugin
 	implementation (libs.net.sourceforge.htmlunit) {
 		exclude group: 'org.eclipse.jetty.websocket', module: 'websocket-client'
 	}

buildSrc/src/main/groovy/io/spring/gradle/convention/ManagementConfigurationPlugin.java

@@ -61,7 +61,7 @@ public class ManagementConfigurationPlugin implements Plugin<Project> {
 				PublishingExtension publishing = project.getExtensions().getByType(PublishingExtension.class);
 				publishing.getPublications().withType(MavenPublication.class, (mavenPublication -> {
 					mavenPublication.versionMapping((versions) ->
-							versions.allVariants(versionMapping -> versionMapping.fromResolutionResult())
+							versions.allVariants((versionMapping) -> versionMapping.fromResolutionResult())
 					);
 				}));
 			});

buildSrc/src/main/groovy/io/spring/gradle/convention/RepositoryConventionPlugin.groovy

@@ -80,6 +80,11 @@ class RepositoryConventionPlugin implements Plugin<Project> {
 				}
 				url = 'https://repo.spring.io/release/'
 			}
+			forceMavenRepositories.findAll { it.startsWith('https://') || it.startsWith('file://') }.each { mavenUrl ->
+				maven {
+					url mavenUrl
+				}
+			}
 		}
 	}
 

buildSrc/src/main/groovy/io/spring/gradle/convention/SchemaZipPlugin.groovy

@@ -32,10 +32,13 @@ public class SchemaZipPlugin implements Plugin<Project> {
 				for (def key : schemas.keySet()) {
 					def shortName = key.replaceAll(/http.*schema.(.*).spring-.*/, '$1')
 					assert shortName != key
+					def schemaResourceName = schemas.get(key)
 					File xsdFile = module.sourceSets.main.resources.find {
-						it.path.endsWith(schemas.get(key))
+						it.path.endsWith(schemaResourceName)
+					}
+					if (xsdFile == null) {
+						throw new IllegalStateException("Could not find schema file for resource name " + schemaResourceName + " in src/main/resources")
 					}
-					assert xsdFile != null
 					schemaZip.into (shortName) {
 						duplicatesStrategy 'exclude'
 						from xsdFile.path

buildSrc/src/main/groovy/security-kotlin.gradle

@@ -0,0 +1,17 @@
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
+
+plugins {
+    id 'kotlin'
+}
+
+project.plugins.withId("org.jetbrains.kotlin.jvm", (kotlinProject) -> {
+    project.tasks.withType(KotlinCompile).configureEach {
+        kotlinOptions {
+            languageVersion = '2.2'
+            apiVersion = '2.2'
+            freeCompilerArgs = ["-Xjsr305=strict", "-Xsuppress-version-warnings"]
+            jvmTarget = '17'
+
+        }
+    }
+})

buildSrc/src/main/groovy/security-nullability.gradle

@@ -0,0 +1,3 @@
+plugins {
+    id 'io.spring.nullability'
+}

buildSrc/src/main/java/org/springframework/gradle/classpath/CheckClasspathForProhibitedDependencies.java

@@ -81,9 +81,6 @@ public class CheckClasspathForProhibitedDependencies extends DefaultTask {
 		if (group.startsWith("javax")) {
 			return true;
 		}
-		if (group.equals("commons-logging")) {
-			return true;
-		}
 		if (group.equals("org.slf4j") && id.getName().equals("jcl-over-slf4j")) {
 			return true;
 		}

buildSrc/src/main/java/org/springframework/security/CheckExpectedBranchVersionPlugin.java

@@ -46,7 +46,7 @@ public class CheckExpectedBranchVersionPlugin implements Plugin<Project> {
 			task.setDescription("Check if the project version matches the branch version");
 			task.onlyIf("skipCheckExpectedBranchVersion property is false or not present", CheckExpectedBranchVersionPlugin::skipPropertyFalseOrNotPresent);
 			task.getVersion().convention(project.provider(() -> project.getVersion().toString()));
-			task.getBranchName().convention(project.getProviders().exec(execSpec -> execSpec.setCommandLine("git", "symbolic-ref", "--short", "HEAD")).getStandardOutput().getAsText());
+			task.getBranchName().convention(project.getProviders().exec((execSpec) -> execSpec.setCommandLine("git", "symbolic-ref", "--short", "HEAD")).getStandardOutput().getAsText());
 			task.getOutputFile().convention(project.getLayout().getBuildDirectory().file("check-expected-branch-version"));
 		});
 		project.getTasks().named(JavaBasePlugin.CHECK_TASK_NAME, checkTask -> checkTask.dependsOn(checkExpectedBranchVersionTask));

buildSrc/src/test/java/io/spring/gradle/TestKit.java

@@ -17,8 +17,6 @@ package io.spring.gradle;
 
 import org.apache.commons.io.FileUtils;
 import org.gradle.testkit.runner.GradleRunner;
-import org.junit.runner.Description;
-import org.junit.runners.model.Statement;
 
 import java.io.File;
 import java.io.IOException;

buildSrc/src/test/java/io/spring/gradle/convention/IntegrationPluginTest.java

@@ -23,8 +23,6 @@ import org.gradle.testfixtures.ProjectBuilder;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 
-import java.io.File;
-
 import static org.assertj.core.api.Assertions.assertThat;
 
 /**

buildSrc/src/test/java/io/spring/gradle/convention/JavadocApiPluginITest.java

@@ -5,7 +5,6 @@ import org.apache.commons.io.FileUtils;
 import org.gradle.testkit.runner.BuildResult;
 import org.gradle.testkit.runner.TaskOutcome;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 

cas/spring-security-cas.gradle

@@ -14,6 +14,7 @@ dependencies {
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 
+	testImplementation project(path : ':spring-security-web', configuration : 'tests')
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"
 	testImplementation "org.junit.jupiter:junit-jupiter-params"

cas/src/main/java/org/springframework/security/cas/authentication/CasAssertionAuthenticationToken.java

@@ -21,7 +21,6 @@ import java.util.ArrayList;
 import org.apereo.cas.client.validation.Assertion;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.core.SpringSecurityCoreVersion;
 
 /**
  * Temporary authentication object needed to load the user details service.
@@ -31,7 +30,7 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
  */
 public final class CasAssertionAuthenticationToken extends AbstractAuthenticationToken {
 
-	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private static final long serialVersionUID = 620L;
 
 	private final Assertion assertion;
 

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java

@@ -23,7 +23,6 @@ import org.apereo.cas.client.validation.Assertion;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
@@ -36,7 +35,7 @@ import org.springframework.util.ObjectUtils;
  */
 public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
 
-	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private static final long serialVersionUID = 620L;
 
 	private final Object credentials;
 

cas/src/main/java/org/springframework/security/cas/authentication/CasServiceTicketAuthenticationToken.java

@@ -21,7 +21,6 @@ import java.util.Collection;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 /**
@@ -38,7 +37,7 @@ public class CasServiceTicketAuthenticationToken extends AbstractAuthenticationT
 	static final String CAS_STATEFUL_IDENTIFIER = "_cas_stateful_";
 
 	@Serial
-	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private static final long serialVersionUID = 620L;
 
 	private final String identifier;
 

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

@@ -34,7 +34,7 @@ import org.springframework.security.authentication.AuthenticationTrustResolverIm
 import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
-import org.springframework.security.cas.web.authentication.ServiceAuthenticationDetails;
+import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -51,11 +51,12 @@ import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.SavedRequest;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy
  * tickets.
@@ -215,6 +216,8 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 
 	public CasAuthenticationFilter() {
 		super("/login/cas");
+		RequestMatcher processUri = pathPattern("/login/cas");
+		setRequiresAuthenticationRequestMatcher(processUri);
 		setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
 		setSecurityContextRepository(this.securityContextRepository);
 	}
@@ -319,8 +322,20 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 		super.setAuthenticationFailureHandler(new CasAuthenticationFailureHandler(failureHandler));
 	}
 
+	/**
+	 * Use this {@code RequestMatcher} to match proxy receptor requests. Without setting
+	 * this matcher, {@link CasAuthenticationFilter} will not capture any proxy receptor
+	 * requets.
+	 * @param proxyReceptorMatcher the {@link RequestMatcher} to use
+	 * @since 6.5
+	 */
+	public final void setProxyReceptorMatcher(RequestMatcher proxyReceptorMatcher) {
+		Assert.notNull(proxyReceptorMatcher, "proxyReceptorMatcher cannot be null");
+		this.proxyReceptorMatcher = proxyReceptorMatcher;
+	}
+
 	public final void setProxyReceptorUrl(final String proxyReceptorUrl) {
-		this.proxyReceptorMatcher = new AntPathRequestMatcher("/**" + proxyReceptorUrl);
+		this.proxyReceptorMatcher = pathPattern(proxyReceptorUrl);
 	}
 
 	public final void setProxyGrantingTicketStorage(final ProxyGrantingTicketStorage proxyGrantingTicketStorage) {

cas/src/main/java/org/springframework/security/cas/web/authentication/DefaultServiceAuthenticationDetails.java

@@ -22,6 +22,7 @@ import java.util.regex.Pattern;
 
 import jakarta.servlet.http.HttpServletRequest;
 
+import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
@@ -60,7 +61,7 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 
 	/**
 	 * Returns the current URL minus the artifact parameter and its value, if present.
-	 * @see org.springframework.security.cas.web.authentication.ServiceAuthenticationDetails#getServiceUrl()
+	 * @see org.springframework.security.cas.authentication.ServiceAuthenticationDetails#getServiceUrl()
 	 */
 	@Override
 	public String getServiceUrl() {

cas/src/main/java/org/springframework/security/cas/web/authentication/ServiceAuthenticationDetails.java

@@ -1,44 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.cas.web.authentication;
-
-import org.springframework.security.cas.ServiceProperties;
-import org.springframework.security.core.Authentication;
-
-/**
- * In order for the
- * {@link org.springframework.security.cas.authentication.CasAuthenticationProvider} to
- * provide the correct service url to authenticate the ticket, the returned value of
- * {@link Authentication#getDetails()} should implement this interface when tickets can be
- * sent to any URL rather than only {@link ServiceProperties#getService()}.
- *
- * @author Rob Winch
- * @see ServiceAuthenticationDetailsSource
- * @deprecated Please use
- * org.springframework.security.cas.authentication.ServiceAuthenticationDetails
- */
-@Deprecated
-public interface ServiceAuthenticationDetails
-		extends org.springframework.security.cas.authentication.ServiceAuthenticationDetails {
-
-	/**
-	 * Gets the absolute service url (i.e. https://example.com/service/).
-	 * @return the service url. Cannot be <code>null</code>.
-	 */
-	String getServiceUrl();
-
-}

cas/src/main/java/org/springframework/security/cas/web/authentication/ServiceAuthenticationDetailsSource.java

@@ -23,6 +23,7 @@ import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.cas.ServiceProperties;
+import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
 import org.springframework.util.Assert;
 
 /**

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java

@@ -30,7 +30,6 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.cas.ServiceProperties;
-import org.springframework.security.cas.web.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;

cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationFilterTests.java

@@ -54,6 +54,9 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.springframework.security.web.servlet.TestMockHttpServletRequests.get;
+import static org.springframework.security.web.servlet.TestMockHttpServletRequests.post;
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
 
 /**
  * Tests {@link CasAuthenticationFilter}.
@@ -78,9 +81,7 @@ public class CasAuthenticationFilterTests {
 
 	@Test
 	public void testNormalOperation() throws Exception {
-		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setServletPath("/login/cas");
-		request.addParameter("ticket", "ST-0-ER94xMJmn6pha35CQRoZ");
+		MockHttpServletRequest request = post("/login/cas").param("ticket", "ST-0-ER94xMJmn6pha35CQRoZ").build();
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setAuthenticationManager((a) -> a);
 		assertThat(filter.requiresAuthentication(request, new MockHttpServletResponse())).isTrue();
@@ -103,24 +104,22 @@ public class CasAuthenticationFilterTests {
 		String url = "/login/cas";
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = post(url).build();
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
 	}
 
 	@Test
 	public void testRequiresAuthenticationProxyRequest() {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = get("/pgtCallback").build();
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		request.setServletPath("/pgtCallback");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		filter.setProxyReceptorUrl(request.getServletPath());
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
-		request.setServletPath("/other");
+		request = get("/other").build();
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 	}
 
@@ -132,11 +131,10 @@ public class CasAuthenticationFilterTests {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
 		filter.setServiceProperties(properties);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = post(url).build();
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
-		request.setServletPath("/other");
+		request = post("/other").build();
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		request.setParameter(properties.getArtifactParameter(), "value");
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
@@ -154,9 +152,8 @@ public class CasAuthenticationFilterTests {
 	@Test
 	public void testAuthenticateProxyUrl() throws Exception {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = get("/pgtCallback").build();
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		request.setServletPath("/pgtCallback");
 		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
 		filter.setProxyReceptorUrl(request.getServletPath());
 		assertThat(filter.attemptAuthentication(request, response)).isNull();
@@ -170,9 +167,7 @@ public class CasAuthenticationFilterTests {
 		given(manager.authenticate(any(Authentication.class))).willReturn(authentication);
 		ServiceProperties serviceProperties = new ServiceProperties();
 		serviceProperties.setAuthenticateAllArtifacts(true);
-		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("ticket", "ST-1-123");
-		request.setServletPath("/authenticate");
+		MockHttpServletRequest request = post("/authenticate").param("ticket", "ST-1-123").build();
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain chain = mock(FilterChain.class);
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
@@ -198,10 +193,9 @@ public class CasAuthenticationFilterTests {
 	@Test
 	public void testChainNotInvokedForProxyReceptor() throws Exception {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = get("/pgtCallback").build();
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain chain = mock(FilterChain.class);
-		request.setServletPath("/pgtCallback");
 		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
 		filter.setProxyReceptorUrl(request.getServletPath());
 		filter.doFilter(request, response, chain);
@@ -266,4 +260,18 @@ public class CasAuthenticationFilterTests {
 		verify(securityContextRepository).setContext(any(SecurityContext.class));
 	}
 
+	@Test
+	public void requiresAuthenticationWhenProxyRequestMatcherThenMatches() {
+		CasAuthenticationFilter filter = new CasAuthenticationFilter();
+		MockHttpServletRequest request = get("/pgtCallback").build();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+		filter.setProxyReceptorMatcher(pathPattern(request.getServletPath()));
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
+		assertThat(filter.requiresAuthentication(request, response)).isTrue();
+		request = get("/other").build();
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+	}
+
 }

cas/src/test/java/org/springframework/security/cas/web/authentication/DefaultServiceAuthenticationDetailsTests.java

@@ -26,6 +26,7 @@ import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.support.GenericXmlApplicationContext;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.cas.ServiceProperties;
+import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.web.util.UrlUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;

config/spring-security-config.gradle

@@ -4,7 +4,7 @@ import trang.RncToXsd
 
 apply plugin: 'io.spring.convention.spring-module'
 apply plugin: 'trang'
-apply plugin: 'kotlin'
+apply plugin: 'security-kotlin'
 
 configurations {
 	opensaml5 {
@@ -25,12 +25,12 @@ dependencies {
 	optional project(':spring-security-ldap')
 	optional project(':spring-security-messaging')
 	optional project(path: ':spring-security-saml2-service-provider')
-	opensaml5 project(path: ':spring-security-saml2-service-provider', configuration: 'opensamlFiveMain')
 	optional project(':spring-security-oauth2-client')
 	optional project(':spring-security-oauth2-jose')
 	optional project(':spring-security-oauth2-resource-server')
 	optional project(':spring-security-rsocket')
 	optional project(':spring-security-web')
+	optional project(':spring-security-webauthn')
 	optional 'io.projectreactor:reactor-core'
 	optional 'org.aspectj:aspectjweaver'
 	optional 'org.springframework:spring-jdbc'
@@ -43,7 +43,6 @@ dependencies {
 	optional 'org.jetbrains.kotlin:kotlin-reflect'
 	optional 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
 	optional 'jakarta.annotation:jakarta.annotation-api'
-	optional libs.webauthn4j.core
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 
@@ -57,6 +56,7 @@ dependencies {
 	testImplementation project(':spring-security-saml2-service-provider')
 	testImplementation project(path : ':spring-security-saml2-service-provider', configuration : 'tests')
 	testImplementation project(path : ':spring-security-web', configuration : 'tests')
+	testImplementation project(path : ':spring-security-webauthn', configuration : 'tests')
 	testImplementation "jakarta.inject:jakarta.inject-api"
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"
@@ -78,12 +78,6 @@ dependencies {
 		exclude group: 'commons-logging', module: 'commons-logging'
 		exclude group: 'xml-apis', module: 'xml-apis'
 	}
-	testImplementation "org.apache.directory.server:apacheds-core"
-	testImplementation "org.apache.directory.server:apacheds-core-entry"
-	testImplementation "org.apache.directory.server:apacheds-protocol-shared"
-	testImplementation "org.apache.directory.server:apacheds-protocol-ldap"
-	testImplementation "org.apache.directory.server:apacheds-server-jndi"
-	testImplementation 'org.apache.directory.shared:shared-ldap'
 	testImplementation "com.unboundid:unboundid-ldapsdk"
 	testImplementation 'jakarta.persistence:jakarta.persistence-api'
 	testImplementation "org.hibernate.orm:hibernate-core"
@@ -127,6 +121,7 @@ dependencies {
 
 	testRuntimeOnly 'org.hsqldb:hsqldb'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+	testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
 }
 
 def rncToXsd = tasks.named('rncToXsd', RncToXsd)
@@ -158,15 +153,6 @@ tasks.named('sourcesJar', Jar).configure {
 	}
 }
 
-tasks.withType(KotlinCompile).configureEach {
-	kotlinOptions {
-		languageVersion = "1.7"
-		apiVersion = "1.7"
-		freeCompilerArgs = ["-Xjsr305=strict", "-Xsuppress-version-warnings"]
-		jvmTarget = "17"
-	}
-}
-
 configure(project.tasks.withType(Test)) {
 	doFirst {
 		systemProperties['springSecurityVersion'] = version
@@ -183,15 +169,3 @@ test {
 		}
 	}
 }
-
-tasks.register("opensaml5Test", Test) {
-	filter {
-		includeTestsMatching "org.springframework.security.config.annotation.web.configurers.saml2.*"
-	}
-	useJUnitPlatform()
-	classpath = sourceSets.main.output + sourceSets.test.output + configurations.opensaml5
-}
-
-tasks.named("check") {
-	dependsOn opensaml5Test
-}

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java

@@ -44,7 +44,7 @@ import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMap
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.test.web.servlet.MockMvc;
@@ -326,11 +326,11 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests {
 	abstract static class BaseLdapServerConfig extends BaseLdapProviderConfig {
 
 		@Bean
-		ApacheDSContainer ldapServer() throws Exception {
-			ApacheDSContainer apacheDSContainer = new ApacheDSContainer("dc=springframework,dc=org",
+		UnboundIdContainer ldapServer() throws Exception {
+			UnboundIdContainer unboundIdContainer = new UnboundIdContainer("dc=springframework,dc=org",
 					"classpath:/test-server.ldif");
-			apacheDSContainer.setPort(getPort());
-			return apacheDSContainer;
+			unboundIdContainer.setPort(getPort());
+			return unboundIdContainer;
 		}
 
 	}

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/AnonymousAuthenticationITests.java

@@ -0,0 +1,147 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.rsocket;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import io.rsocket.core.RSocketServer;
+import io.rsocket.exceptions.RejectedSetupException;
+import io.rsocket.frame.decoder.PayloadDecoder;
+import io.rsocket.transport.netty.server.CloseableChannel;
+import io.rsocket.transport.netty.server.TcpServerTransport;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.messaging.handler.annotation.MessageMapping;
+import org.springframework.messaging.rsocket.RSocketRequester;
+import org.springframework.messaging.rsocket.annotation.support.RSocketMessageHandler;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.rsocket.core.PayloadSocketAcceptorInterceptor;
+import org.springframework.security.rsocket.core.SecuritySocketAcceptorInterceptor;
+import org.springframework.security.rsocket.util.matcher.PayloadExchangeAuthorizationContext;
+import org.springframework.stereotype.Controller;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+
+/**
+ * @author Andrey Litvitski
+ */
+@ContextConfiguration
+@ExtendWith(SpringExtension.class)
+public class AnonymousAuthenticationITests {
+
+	@Autowired
+	RSocketMessageHandler handler;
+
+	@Autowired
+	SecuritySocketAcceptorInterceptor interceptor;
+
+	@Autowired
+	ServerController controller;
+
+	private CloseableChannel server;
+
+	private RSocketRequester requester;
+
+	@BeforeEach
+	public void setup() {
+		// @formatter:off
+		this.server = RSocketServer.create()
+				.payloadDecoder(PayloadDecoder.ZERO_COPY)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+				)
+				.acceptor(this.handler.responder())
+				.bind(TcpServerTransport.create("localhost", 0))
+				.block();
+		// @formatter:on
+	}
+
+	@AfterEach
+	public void dispose() {
+		this.requester.rsocket().dispose();
+		this.server.dispose();
+		this.controller.payloads.clear();
+	}
+
+	@Test
+	public void requestWhenAnonymousDisabledThenRespondsWithForbidden() {
+		this.requester = RSocketRequester.builder()
+			.rsocketStrategies(this.handler.getRSocketStrategies())
+			.connectTcp("localhost", this.server.address().getPort())
+			.block();
+		String data = "andrew";
+		assertThatExceptionOfType(RejectedSetupException.class).isThrownBy(
+				() -> this.requester.route("secure.retrieve-mono").data(data).retrieveMono(String.class).block());
+		assertThat(this.controller.payloads).isEmpty();
+	}
+
+	@Configuration
+	@EnableRSocketSecurity
+	static class Config {
+
+		@Bean
+		ServerController controller() {
+			return new ServerController();
+		}
+
+		@Bean
+		RSocketMessageHandler messageHandler() {
+			return new RSocketMessageHandler();
+		}
+
+		@Bean
+		PayloadSocketAcceptorInterceptor rsocketInterceptor(RSocketSecurity rsocket) {
+			AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+			ReactiveAuthorizationManager<PayloadExchangeAuthorizationContext> anonymous = (authentication,
+					exchange) -> authentication.map(trustResolver::isAnonymous).map(AuthorizationDecision::new);
+			rsocket.authorizePayload((authorize) -> authorize.anyExchange().access(anonymous));
+			rsocket.anonymous((anonymousAuthentication) -> anonymousAuthentication.disable());
+			return rsocket.build();
+		}
+
+	}
+
+	@Controller
+	static class ServerController {
+
+		private List<String> payloads = new ArrayList<>();
+
+		@MessageMapping("**")
+		String retrieveMono(String payload) {
+			add(payload);
+			return "Hi " + payload;
+		}
+
+		private void add(String p) {
+			this.payloads.add(p);
+		}
+
+	}
+
+}

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketITests.java

@@ -74,8 +74,7 @@ public class HelloRSocketITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketObservationITests.java

@@ -87,8 +87,7 @@ public class HelloRSocketObservationITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketWithWebFluxITests.java

@@ -74,8 +74,7 @@ public class HelloRSocketWithWebFluxITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/JwtITests.java

@@ -86,8 +86,7 @@ public class JwtITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 			.payloadDecoder(PayloadDecoder.ZERO_COPY)
-			.interceptors((registry) ->
-				registry.forSocketAcceptor(this.interceptor)
+			.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 			)
 			.acceptor(this.handler.responder())
 			.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/RSocketMessageHandlerConnectionITests.java

@@ -81,8 +81,7 @@ public class RSocketMessageHandlerConnectionITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/RSocketMessageHandlerITests.java

@@ -79,8 +79,7 @@ public class RSocketMessageHandlerITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/SimpleAuthenticationITests.java

@@ -79,8 +79,7 @@ public class SimpleAuthenticationITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/ldap/LdapBindAuthenticationManagerFactoryITests.java

@@ -43,7 +43,7 @@ import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMap
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;
@@ -226,18 +226,18 @@ public class LdapBindAuthenticationManagerFactoryITests {
 	@EnableWebSecurity
 	abstract static class BaseLdapServerConfig implements DisposableBean {
 
-		private ApacheDSContainer container;
+		private UnboundIdContainer container;
 
 		@Bean
-		ApacheDSContainer ldapServer() throws Exception {
-			this.container = new ApacheDSContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
+		UnboundIdContainer ldapServer() {
+			this.container = new UnboundIdContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
 			this.container.setPort(0);
 			return this.container;
 		}
 
 		@Bean
-		BaseLdapPathContextSource contextSource(ApacheDSContainer container) {
-			int port = container.getLocalPort();
+		BaseLdapPathContextSource contextSource(UnboundIdContainer container) {
+			int port = container.getPort();
 			return new DefaultSpringSecurityContextSource("ldap://localhost:" + port + "/dc=springframework,dc=org");
 		}
 

config/src/integration-test/java/org/springframework/security/config/ldap/LdapPasswordComparisonAuthenticationManagerFactoryITests.java

@@ -31,7 +31,7 @@ import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
@@ -93,18 +93,18 @@ public class LdapPasswordComparisonAuthenticationManagerFactoryITests {
 	@EnableWebSecurity
 	abstract static class BaseLdapServerConfig implements DisposableBean {
 
-		private ApacheDSContainer container;
+		private UnboundIdContainer container;
 
 		@Bean
-		ApacheDSContainer ldapServer() throws Exception {
-			this.container = new ApacheDSContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
+		UnboundIdContainer ldapServer() {
+			this.container = new UnboundIdContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
 			this.container.setPort(0);
 			return this.container;
 		}
 
 		@Bean
-		BaseLdapPathContextSource contextSource(ApacheDSContainer container) {
-			int port = container.getLocalPort();
+		BaseLdapPathContextSource contextSource(UnboundIdContainer container) {
+			int port = container.getPort();
 			return new DefaultSpringSecurityContextSource("ldap://localhost:" + port + "/dc=springframework,dc=org");
 		}
 

config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java

@@ -56,7 +56,7 @@ public class LdapProviderBeanDefinitionParserTests {
 		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
 				AuthenticationManager.class);
 		Authentication auth = authenticationManager
-			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
+			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("otherben", "otherbenspassword"));
 		UserDetails ben = (UserDetails) auth.getPrincipal();
 		assertThat(ben.getAuthorities()).hasSize(3);
 	}
@@ -127,6 +127,27 @@ public class LdapProviderBeanDefinitionParserTests {
 		assertThat(auth).isNotNull();
 	}
 
+	@Test
+	public void supportsShaPasswordEncoder() {
+		this.appCtx = new InMemoryXmlApplicationContext("""
+				<ldap-server ldif='classpath:test-server.ldif' port='0'/>
+				<authentication-manager>
+					<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>
+						<password-compare>
+							<password-encoder ref='pe' />
+						</password-compare>
+					</ldap-authentication-provider>
+				</authentication-manager>
+				<b:bean id='pe' class='org.springframework.security.crypto.password.LdapShaPasswordEncoder' />
+				""");
+		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
+				AuthenticationManager.class);
+		Authentication auth = authenticationManager
+			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
+
+		assertThat(auth).isNotNull();
+	}
+
 	@Test
 	public void inetOrgContextMapperIsSupported() {
 		this.appCtx = new InMemoryXmlApplicationContext(

config/src/integration-test/java/org/springframework/security/config/ldap/LdapServerBeanDefinitionParserTests.java

@@ -26,7 +26,7 @@ import org.springframework.ldap.core.LdapTemplate;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -92,9 +92,9 @@ public class LdapServerBeanDefinitionParserTests {
 	@Test
 	public void defaultLdifFileIsSuccessful() {
 		this.appCtx = new InMemoryXmlApplicationContext("<ldap-server/>");
-		ApacheDSContainer dsContainer = this.appCtx.getBean(ApacheDSContainer.class);
+		UnboundIdContainer dsContainer = this.appCtx.getBean(UnboundIdContainer.class);
 
-		assertThat(ReflectionTestUtils.getField(dsContainer, "ldifResources")).isEqualTo("classpath*:*.ldif");
+		assertThat(ReflectionTestUtils.getField(dsContainer, "ldif")).isEqualTo("classpath*:*.ldif");
 	}
 
 	private int getDefaultPort() throws IOException {

config/src/integration-test/resources/logback-test.xml

@@ -7,7 +7,6 @@
 
 	<logger name="org.springframework.security" level="${sec.log.level:-WARN}"/>
 
-	<logger name="org.apache.directory" level="ERROR"/>
 	<logger name="JdbmTable" level="INFO"/>
 	<logger name="JdbmIndex" level="INFO"/>
 	<logger name="org.apache.mina" level="WARN"/>

config/src/main/java/org/springframework/security/config/BeanIds.java

@@ -54,8 +54,6 @@ public abstract class BeanIds {
 
 	public static final String METHOD_SECURITY_METADATA_SOURCE_ADVISOR = PREFIX + "methodSecurityMetadataSourceAdvisor";
 
-	public static final String EMBEDDED_APACHE_DS = PREFIX + "apacheDirectoryServerContainer";
-
 	public static final String EMBEDDED_UNBOUNDID = PREFIX + "unboundidServerContainer";
 
 	public static final String CONTEXT_SOURCE = PREFIX + "securityContextSource";

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -18,6 +18,7 @@ package org.springframework.security.config;
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -77,26 +78,23 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 
 	public SecurityNamespaceHandler() {
 		String coreVersion = SpringSecurityCoreVersion.getVersion();
+		String configVersion = configVersion();
+		if (!Objects.equals(coreVersion, configVersion)) {
+			String message = "You are attempting to run spring-security-core:%s with spring-security-config:%s";
+			this.logger.error(String.format(message, coreVersion, configVersion));
+		}
+	}
+
+	private static String configVersion() {
 		Package pkg = SpringSecurityCoreVersion.class.getPackage();
-		if (pkg == null || coreVersion == null) {
-			this.logger.info("Couldn't determine package version information.");
-			return;
-		}
-		String version = pkg.getImplementationVersion();
-		this.logger.info("Spring Security 'config' module version is " + version);
-		if (version.compareTo(coreVersion) != 0) {
-			this.logger
-				.error("You are running with different versions of the Spring Security 'core' and 'config' modules");
-		}
+		return (pkg != null) ? pkg.getImplementationVersion() : null;
 	}
 
 	@Override
 	public BeanDefinition parse(Element element, ParserContext pc) {
 		if (!namespaceMatchesVersion(element)) {
 			pc.getReaderContext()
-				.fatal("You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or "
-						+ "spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd schema "
-						+ "with Spring Security 6.4. Please update your schema declarations to the 6.4 schema.",
+				.fatal("You cannot use any XSD older than spring-security-7.0.xsd. Either change to spring-security.xsd or spring-security-7.0.xsd",
 						element);
 		}
 		String name = pc.getDelegate().getLocalName(element);
@@ -221,7 +219,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 
 	private boolean matchesVersionInternal(Element element) {
 		String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-		return schemaLocation.matches("(?m).*spring-security-6\\.4.*.xsd.*")
+		return schemaLocation.matches("(?m).*spring-security-7\\.0.*.xsd.*")
 				|| schemaLocation.matches("(?m).*spring-security.xsd.*")
 				|| !schemaLocation.matches("(?m).*spring-security.*");
 	}

config/src/main/java/org/springframework/security/config/ThrowingCustomizer.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config;
+
+/**
+ * A {@link Customizer} that allows invocation of code that throws a checked exception.
+ *
+ * @param <T> The type of input.
+ */
+@FunctionalInterface
+public interface ThrowingCustomizer<T> extends Customizer<T> {
+
+	/**
+	 * Default {@link Customizer#customize(Object)} that wraps any thrown checked
+	 * exceptions (by default in a {@link RuntimeException}).
+	 * @param t the object to customize
+	 */
+	default void customize(T t) {
+		try {
+			customizeWithException(t);
+		}
+		catch (RuntimeException ex) {
+			throw ex;
+		}
+		catch (Exception ex) {
+			throw new RuntimeException(ex);
+		}
+	}
+
+	/**
+	 * Performs the customization on the given object, possibly throwing a checked
+	 * exception.
+	 * @param t the object to customize
+	 * @throws Exception on error
+	 */
+	void customizeWithException(T t) throws Exception;
+
+}

config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

@@ -80,15 +80,6 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 		this(objectPostProcessor, false);
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	protected AbstractConfiguredSecurityBuilder(
-			org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor) {
-		this(objectPostProcessor, false);
-	}
-
 	/***
 	 * Creates a new instance with the provided {@link ObjectPostProcessor}. This post
 	 * processor must support Object since there are many types of objects that may be
@@ -104,18 +95,6 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 		this.allowConfigurersOfSameType = allowConfigurersOfSameType;
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	protected AbstractConfiguredSecurityBuilder(
-			org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor,
-			boolean allowConfigurersOfSameType) {
-		Assert.notNull(objectPostProcessor, "objectPostProcessor cannot be null");
-		this.objectPostProcessor = objectPostProcessor;
-		this.allowConfigurersOfSameType = allowConfigurersOfSameType;
-	}
-
 	/**
 	 * Similar to {@link #build()} and {@link #getObject()} but checks the state to
 	 * determine if {@link #build()} needs to be called first.
@@ -135,24 +114,6 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 		}
 	}
 
-	/**
-	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
-	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.
-	 * @param configurer
-	 * @return the {@link SecurityConfigurerAdapter} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use
-	 * {@link #with(SecurityConfigurerAdapter, Customizer)} instead.
-	 */
-	@Deprecated(since = "6.2", forRemoval = true)
-	@SuppressWarnings("unchecked")
-	public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer) throws Exception {
-		configurer.addObjectPostProcessor(this.objectPostProcessor);
-		configurer.setBuilder((B) this);
-		add(configurer);
-		return configurer;
-	}
-
 	/**
 	 * Applies a {@link SecurityConfigurer} to this {@link SecurityBuilder} overriding any
 	 * {@link SecurityConfigurer} of the exact same class. Note that object hierarchies
@@ -166,6 +127,28 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 		return configurer;
 	}
 
+	/**
+	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
+	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.
+	 *
+	 * <p>
+	 * A shortcut for applying a configurer as-is, or in other words: <code>
+	 *     .with(new MyConfigurer())
+	 * </code>
+	 *
+	 * <p>
+	 * Is identical to: <code>
+	 *     .with(new MyConfigurer(), Customizer.withDefaults())
+	 * </code>
+	 * @param configurer
+	 * @return the {@link SecurityBuilder} for further customizations
+	 * @throws Exception
+	 * @since 7.0
+	 */
+	public <C extends SecurityConfigurerAdapter<O, B>> B with(C configurer) throws Exception {
+		return with(configurer, Customizer.withDefaults());
+	}
+
 	/**
 	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
 	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.

config/src/main/java/org/springframework/security/config/annotation/ObjectPostProcessor.java

@@ -1,45 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation;
-
-import org.springframework.beans.factory.Aware;
-import org.springframework.beans.factory.DisposableBean;
-import org.springframework.beans.factory.InitializingBean;
-
-/**
- * Allows initialization of Objects. Typically this is used to call the {@link Aware}
- * methods, {@link InitializingBean#afterPropertiesSet()}, and ensure that
- * {@link DisposableBean#destroy()} has been invoked.
- *
- * @param <T> the bound of the types of Objects this {@link ObjectPostProcessor} supports.
- * @author Rob Winch
- * @since 3.2
- * @deprecated please use {@link org.springframework.security.config.ObjectPostProcessor}
- * instead
- */
-@Deprecated
-public interface ObjectPostProcessor<T> extends org.springframework.security.config.ObjectPostProcessor<T> {
-
-	/**
-	 * Initialize the object possibly returning a modified instance that should be used
-	 * instead.
-	 * @param object the object to initialize
-	 * @return the initialized version of the object
-	 */
-	<O extends T> O postProcess(O object);
-
-}

config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java

@@ -21,6 +21,7 @@ import java.util.List;
 
 import org.springframework.core.GenericTypeResolver;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.util.Assert;
 
@@ -50,17 +51,6 @@ public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
 	public void configure(B builder) throws Exception {
 	}
 
-	/**
-	 * Return the {@link SecurityBuilder} when done using the {@link SecurityConfigurer}.
-	 * This is useful for method chaining.
-	 * @return the {@link SecurityBuilder} for further customizations
-	 * @deprecated For removal in 7.0. Use the lambda based configuration instead.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public B and() {
-		return getBuilder();
-	}
-
 	/**
 	 * Gets the {@link SecurityBuilder}. Cannot be null.
 	 * @return the {@link SecurityBuilder}
@@ -92,18 +82,9 @@ public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
 		this.objectPostProcessor.addObjectPostProcessor(objectPostProcessor);
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	public void addObjectPostProcessor(
-			org.springframework.security.config.annotation.ObjectPostProcessor<?> objectPostProcessor) {
-		this.objectPostProcessor.addObjectPostProcessor(objectPostProcessor);
-	}
-
 	/**
 	 * Sets the {@link SecurityBuilder} to be used. This is automatically set when using
-	 * {@link AbstractConfiguredSecurityBuilder#apply(SecurityConfigurerAdapter)}
+	 * {@link AbstractConfiguredSecurityBuilder#with(SecurityConfigurerAdapter, Customizer)}
 	 * @param builder the {@link SecurityBuilder} to set
 	 */
 	public void setBuilder(B builder) {

config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java

@@ -67,23 +67,12 @@ public class AuthenticationManagerBuilder
 
 	/**
 	 * Creates a new instance
-	 * @param objectPostProcessor the
-	 * {@link org.springframework.security.config.annotation.ObjectPostProcessor} instance
-	 * to use.
+	 * @param objectPostProcessor the {@link ObjectPostProcessor} instance to use.
 	 */
 	public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
 		super(objectPostProcessor, true);
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	public AuthenticationManagerBuilder(
-			org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor) {
-		super(objectPostProcessor, true);
-	}
-
 	/**
 	 * Allows providing a parent {@link AuthenticationManager} that will be tried if this
 	 * {@link AuthenticationManager} was unable to attempt to authenticate the provided
@@ -206,7 +195,9 @@ public class AuthenticationManagerBuilder
 	 * @throws Exception if an error occurs when adding the LDAP authentication
 	 */
 	public LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthentication() throws Exception {
-		return apply(new LdapAuthenticationProviderConfigurer<>());
+		LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldap = new LdapAuthenticationProviderConfigurer<>();
+		with(ldap);
+		return ldap;
 	}
 
 	/**
@@ -288,7 +279,8 @@ public class AuthenticationManagerBuilder
 	private <C extends UserDetailsAwareConfigurer<AuthenticationManagerBuilder, ? extends UserDetailsService>> C apply(
 			C configurer) throws Exception {
 		this.defaultUserDetailsService = configurer.getUserDetailsService();
-		return super.apply(configurer);
+		with(configurer);
+		return configurer;
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthentication.java

@@ -26,7 +26,6 @@ import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
 
 /**
  * The {@link EnableGlobalAuthentication} annotation signals that the annotated class can
@@ -87,14 +86,12 @@ import org.springframework.security.config.annotation.web.servlet.configuration.
  *
  * <ul>
  * <li>{@link EnableWebSecurity}</li>
- * <li>{@link EnableWebMvcSecurity}</li>
  * <li>{@link EnableGlobalMethodSecurity}</li>
  * </ul>
  *
  * Configuring {@link AuthenticationManagerBuilder} in a class without the
  * {@link EnableGlobalAuthentication} annotation has unpredictable results.
  *
- * @see EnableWebMvcSecurity
  * @see EnableWebSecurity
  * @see EnableGlobalMethodSecurity
  * @author Rob Winch

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/InitializeUserDetailsBeanManagerConfigurer.java

@@ -95,14 +95,10 @@ class InitializeUserDetailsBeanManagerConfigurer extends GlobalAuthenticationCon
 			PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);
 			UserDetailsPasswordService passwordManager = getBeanOrNull(UserDetailsPasswordService.class);
 			CompromisedPasswordChecker passwordChecker = getBeanOrNull(CompromisedPasswordChecker.class);
-			DaoAuthenticationProvider provider;
+			DaoAuthenticationProvider provider = new DaoAuthenticationProvider(userDetailsService);
 			if (passwordEncoder != null) {
-				provider = new DaoAuthenticationProvider(passwordEncoder);
+				provider.setPasswordEncoder(passwordEncoder);
 			}
-			else {
-				provider = new DaoAuthenticationProvider();
-			}
-			provider.setUserDetailsService(userDetailsService);
 			if (passwordManager != null) {
 				provider.setUserDetailsPasswordService(passwordManager);
 			}

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java

@@ -25,7 +25,6 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
-import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@@ -38,7 +37,6 @@ import org.springframework.security.ldap.authentication.LdapAuthenticator;
 import org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator;
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.ldap.search.LdapUserSearch;
-import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper;
@@ -61,12 +59,8 @@ import org.springframework.util.ClassUtils;
 public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuilder<B>>
 		extends SecurityConfigurerAdapter<AuthenticationManager, B> {
 
-	private static final String APACHEDS_CLASSNAME = "org.apache.directory.server.core.DefaultDirectoryService";
-
 	private static final String UNBOUNDID_CLASSNAME = "com.unboundid.ldap.listener.InMemoryDirectoryServer";
 
-	private static final boolean apacheDsPresent;
-
 	private static final boolean unboundIdPresent;
 
 	private String groupRoleAttribute = "cn";
@@ -101,7 +95,6 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 
 	static {
 		ClassLoader classLoader = LdapAuthenticationProviderConfigurer.class.getClassLoader();
-		apacheDsPresent = ClassUtils.isPresent(APACHEDS_CLASSNAME, classLoader);
 		unboundIdPresent = ClassUtils.isPresent(UNBOUNDID_CLASSNAME, classLoader);
 	}
 
@@ -133,23 +126,13 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 	/**
 	 * Adds an {@link ObjectPostProcessor} for this class.
 	 * @param objectPostProcessor
-	 * @return the {@link ChannelSecurityConfigurer} for further customizations
+	 * @return the {@link LdapAuthenticationProviderConfigurer} for further customizations
 	 */
 	public LdapAuthenticationProviderConfigurer<B> withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) {
 		addObjectPostProcessor(objectPostProcessor);
 		return this;
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	public LdapAuthenticationProviderConfigurer<B> withObjectPostProcessor(
-			org.springframework.security.config.annotation.ObjectPostProcessor<?> objectPostProcessor) {
-		addObjectPostProcessor(objectPostProcessor);
-		return this;
-	}
-
 	/**
 	 * Gets the {@link LdapAuthoritiesPopulator} and defaults to
 	 * {@link DefaultLdapAuthoritiesPopulator}
@@ -393,6 +376,10 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 		return this;
 	}
 
+	public B and() {
+		return getBuilder();
+	}
+
 	@Override
 	public void configure(B builder) throws Exception {
 		LdapAuthenticationProvider provider = postProcess(build());
@@ -468,8 +455,6 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 	 */
 	public final class ContextSourceBuilder {
 
-		private static final String APACHEDS_CLASSNAME = "org.apache.directory.server.core.DefaultDirectoryService";
-
 		private static final String UNBOUNDID_CLASSNAME = "com.unboundid.ldap.listener.InMemoryDirectoryServer";
 
 		private static final int DEFAULT_PORT = 33389;
@@ -585,14 +570,8 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 			return contextSource;
 		}
 
-		private void startEmbeddedLdapServer() throws Exception {
-			if (apacheDsPresent) {
-				ApacheDSContainer apacheDsContainer = new ApacheDSContainer(this.root, this.ldif);
-				apacheDsContainer.setPort(getPort());
-				postProcess(apacheDsContainer);
-				this.port = apacheDsContainer.getLocalPort();
-			}
-			else if (unboundIdPresent) {
+		private void startEmbeddedLdapServer() {
+			if (unboundIdPresent) {
 				UnboundIdContainer unboundIdContainer = new UnboundIdContainer(this.root, this.ldif);
 				unboundIdContainer.setPort(getPort());
 				postProcess(unboundIdContainer);

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/provisioning/InMemoryUserDetailsManagerConfigurer.java

@@ -41,4 +41,8 @@ public class InMemoryUserDetailsManagerConfigurer<B extends ProviderManagerBuild
 		super(new InMemoryUserDetailsManager(new ArrayList<>()));
 	}
 
+	public B and() {
+		return getBuilder();
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/userdetails/AbstractDaoAuthenticationConfigurer.java

@@ -36,7 +36,7 @@ import org.springframework.security.crypto.password.PasswordEncoder;
 public abstract class AbstractDaoAuthenticationConfigurer<B extends ProviderManagerBuilder<B>, C extends AbstractDaoAuthenticationConfigurer<B, C, U>, U extends UserDetailsService>
 		extends UserDetailsAwareConfigurer<B, U> {
 
-	private DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+	private DaoAuthenticationProvider provider;
 
 	private final U userDetailsService;
 
@@ -46,7 +46,7 @@ public abstract class AbstractDaoAuthenticationConfigurer<B extends ProviderMana
 	 */
 	AbstractDaoAuthenticationConfigurer(U userDetailsService) {
 		this.userDetailsService = userDetailsService;
-		this.provider.setUserDetailsService(userDetailsService);
+		this.provider = new DaoAuthenticationProvider(userDetailsService);
 		if (userDetailsService instanceof UserDetailsPasswordService) {
 			this.provider.setUserDetailsPasswordService((UserDetailsPasswordService) userDetailsService);
 		}
@@ -63,17 +63,6 @@ public abstract class AbstractDaoAuthenticationConfigurer<B extends ProviderMana
 		return (C) this;
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	@SuppressWarnings("unchecked")
-	public C withObjectPostProcessor(
-			org.springframework.security.config.annotation.ObjectPostProcessor<?> objectPostProcessor) {
-		addObjectPostProcessor(objectPostProcessor);
-		return (C) this;
-	}
-
 	/**
 	 * Allows specifying the {@link PasswordEncoder} to use with the
 	 * {@link DaoAuthenticationProvider}. The default is to use plain text.

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java

@@ -17,6 +17,7 @@
 package org.springframework.security.config.annotation.method.configuration;
 
 import java.util.ArrayList;
+import java.util.List;
 
 import org.aopalliance.intercept.MethodInterceptor;
 
@@ -31,6 +32,7 @@ import org.springframework.security.aot.hint.SecurityHintsRegistrar;
 import org.springframework.security.authorization.AuthorizationProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
 import org.springframework.security.authorization.method.AuthorizeReturnObjectMethodInterceptor;
 import org.springframework.security.config.Customizer;
 
@@ -40,21 +42,23 @@ final class AuthorizationProxyConfiguration implements AopInfrastructureBean {
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static AuthorizationAdvisorProxyFactory authorizationProxyFactory(
+			ObjectProvider<AuthorizationAdvisor> authorizationAdvisors, ObjectProvider<TargetVisitor> targetVisitors,
 			ObjectProvider<Customizer<AuthorizationAdvisorProxyFactory>> customizers) {
-		AuthorizationAdvisorProxyFactory factory = new AuthorizationAdvisorProxyFactory(new ArrayList<>());
+		List<AuthorizationAdvisor> advisors = new ArrayList<>();
+		authorizationAdvisors.forEach(advisors::add);
+		List<TargetVisitor> visitors = new ArrayList<>();
+		targetVisitors.orderedStream().forEach(visitors::add);
+		visitors.add(TargetVisitor.defaults());
+		AuthorizationAdvisorProxyFactory factory = new AuthorizationAdvisorProxyFactory(advisors);
+		factory.setTargetVisitor(TargetVisitor.of(visitors.toArray(TargetVisitor[]::new)));
 		customizers.forEach((c) -> c.customize(factory));
 		return factory;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static MethodInterceptor authorizeReturnObjectMethodInterceptor(ObjectProvider<AuthorizationAdvisor> provider,
-			AuthorizationAdvisorProxyFactory authorizationProxyFactory) {
-		provider.forEach(authorizationProxyFactory::addAdvisor);
-		AuthorizeReturnObjectMethodInterceptor interceptor = new AuthorizeReturnObjectMethodInterceptor(
-				authorizationProxyFactory);
-		authorizationProxyFactory.addAdvisor(interceptor);
-		return interceptor;
+	static MethodInterceptor authorizeReturnObjectMethodInterceptor() {
+		return new AuthorizeReturnObjectMethodInterceptor();
 	}
 
 	@Bean

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyDataConfiguration.java

@@ -16,13 +16,22 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import java.util.List;
+
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
+import org.springframework.core.Ordered;
+import org.springframework.data.domain.PageImpl;
+import org.springframework.data.domain.SliceImpl;
+import org.springframework.data.geo.GeoPage;
+import org.springframework.data.geo.GeoResult;
+import org.springframework.data.geo.GeoResults;
 import org.springframework.security.aot.hint.SecurityHintsRegistrar;
 import org.springframework.security.authorization.AuthorizationProxyFactory;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar;
 
 @Configuration(proxyBeanMethods = false)
@@ -34,4 +43,45 @@ final class AuthorizationProxyDataConfiguration implements AopInfrastructureBean
 		return new AuthorizeReturnObjectDataHintsRegistrar(proxyFactory);
 	}
 
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	DataTargetVisitor dataTargetVisitor() {
+		return new DataTargetVisitor();
+	}
+
+	static final class DataTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
+
+		private static final int DEFAULT_ORDER = 200;
+
+		@Override
+		public Object visit(AuthorizationAdvisorProxyFactory proxyFactory, Object target) {
+			if (target instanceof GeoResults<?> geoResults) {
+				return new GeoResults<>(proxyFactory.proxy(geoResults.getContent()), geoResults.getAverageDistance());
+			}
+			if (target instanceof GeoResult<?> geoResult) {
+				return new GeoResult<>(proxyFactory.proxy(geoResult.getContent()), geoResult.getDistance());
+			}
+			if (target instanceof GeoPage<?> geoPage) {
+				GeoResults<?> results = new GeoResults<>(proxyFactory.proxy(geoPage.getContent()),
+						geoPage.getAverageDistance());
+				return new GeoPage<>(results, geoPage.getPageable(), geoPage.getTotalElements());
+			}
+			if (target instanceof PageImpl<?> page) {
+				List<?> content = proxyFactory.proxy(page.getContent());
+				return new PageImpl<>(content, page.getPageable(), page.getTotalElements());
+			}
+			if (target instanceof SliceImpl<?> slice) {
+				List<?> content = proxyFactory.proxy(slice.getContent());
+				return new SliceImpl<>(content, slice.getPageable(), slice.hasNext());
+			}
+			return null;
+		}
+
+		@Override
+		public int getOrder() {
+			return DEFAULT_ORDER;
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration;
+
+import java.util.List;
+import java.util.Map;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Role;
+import org.springframework.core.Ordered;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+import org.springframework.security.web.util.ThrowableAnalyzer;
+import org.springframework.web.servlet.HandlerExceptionResolver;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.View;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver;
+
+@Configuration
+class AuthorizationProxyWebConfiguration implements WebMvcConfigurer {
+
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	AuthorizationAdvisorProxyFactory.TargetVisitor webTargetVisitor() {
+		return new WebTargetVisitor();
+	}
+
+	@Override
+	public void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> resolvers) {
+		for (int i = 0; i < resolvers.size(); i++) {
+			HandlerExceptionResolver resolver = resolvers.get(i);
+			if (resolver instanceof DefaultHandlerExceptionResolver) {
+				resolvers.add(i, new AccessDeniedExceptionResolver());
+				return;
+			}
+		}
+		resolvers.add(new AccessDeniedExceptionResolver());
+	}
+
+	static class WebTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
+
+		private static final int DEFAULT_ORDER = 100;
+
+		@Override
+		public Object visit(AuthorizationAdvisorProxyFactory proxyFactory, Object target) {
+			if (target instanceof ResponseEntity<?> entity) {
+				return new ResponseEntity<>(proxyFactory.proxy(entity.getBody()), entity.getHeaders(),
+						entity.getStatusCode());
+			}
+			if (target instanceof HttpEntity<?> entity) {
+				return new HttpEntity<>(proxyFactory.proxy(entity.getBody()), entity.getHeaders());
+			}
+			if (target instanceof ModelAndView mav) {
+				View view = mav.getView();
+				String viewName = mav.getViewName();
+				Map<String, Object> model = proxyFactory.proxy(mav.getModel());
+				ModelAndView proxied = (view != null) ? new ModelAndView(view, model)
+						: new ModelAndView(viewName, model);
+				proxied.setStatus(mav.getStatus());
+				return proxied;
+			}
+			return null;
+		}
+
+		@Override
+		public int getOrder() {
+			return DEFAULT_ORDER;
+		}
+
+	}
+
+	static class AccessDeniedExceptionResolver implements HandlerExceptionResolver {
+
+		final ThrowableAnalyzer throwableAnalyzer = new ThrowableAnalyzer();
+
+		@Override
+		public ModelAndView resolveException(HttpServletRequest request, HttpServletResponse response, Object handler,
+				Exception ex) {
+			Throwable[] causeChain = this.throwableAnalyzer.determineCauseChain(ex);
+			Throwable accessDeniedException = this.throwableAnalyzer
+				.getFirstThrowableOfType(AccessDeniedException.class, causeChain);
+			if (accessDeniedException != null) {
+				throw (AccessDeniedException) accessDeniedException;
+			}
+			return null;
+		}
+
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringMethodInterceptor.java

@@ -20,10 +20,10 @@ import java.util.function.Supplier;
 
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInvocation;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
 
 import org.springframework.aop.Pointcut;
+import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.util.function.SingletonSupplier;
 
@@ -40,7 +40,7 @@ final class DeferringMethodInterceptor<M extends AuthorizationAdvisor> implement
 
 	@Nullable
 	@Override
-	public Object invoke(@NotNull MethodInvocation invocation) throws Throwable {
+	public Object invoke(@NonNull MethodInvocation invocation) throws Throwable {
 		return this.delegate.get().invoke(invocation);
 	}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java

@@ -1,72 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.method.configuration;
-
-import java.util.function.Supplier;
-
-import io.micrometer.observation.ObservationRegistry;
-import org.aopalliance.intercept.MethodInvocation;
-
-import org.springframework.beans.factory.ObjectProvider;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.AuthorizationResult;
-import org.springframework.security.authorization.ObservationAuthorizationManager;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodInvocationResult;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
-import org.springframework.security.core.Authentication;
-import org.springframework.util.function.SingletonSupplier;
-
-final class DeferringObservationAuthorizationManager<T>
-		implements AuthorizationManager<T>, MethodAuthorizationDeniedHandler {
-
-	private final Supplier<AuthorizationManager<T>> delegate;
-
-	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
-
-	DeferringObservationAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
-			AuthorizationManager<T> delegate) {
-		this.delegate = SingletonSupplier.of(() -> {
-			ObservationRegistry registry = provider.getIfAvailable(() -> ObservationRegistry.NOOP);
-			if (registry.isNoop()) {
-				return delegate;
-			}
-			return new ObservationAuthorizationManager<>(registry, delegate);
-		});
-		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
-			this.handler = h;
-		}
-	}
-
-	@Override
-	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
-		return this.delegate.get().check(authentication, object);
-	}
-
-	@Override
-	public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocation(methodInvocation, authorizationResult);
-	}
-
-	@Override
-	public Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocationResult(methodInvocationResult, authorizationResult);
-	}
-
-}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java

@@ -1,73 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.method.configuration;
-
-import java.util.function.Supplier;
-
-import io.micrometer.observation.ObservationRegistry;
-import org.aopalliance.intercept.MethodInvocation;
-import reactor.core.publisher.Mono;
-
-import org.springframework.beans.factory.ObjectProvider;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationResult;
-import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
-import org.springframework.security.authorization.ReactiveAuthorizationManager;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodInvocationResult;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
-import org.springframework.security.core.Authentication;
-import org.springframework.util.function.SingletonSupplier;
-
-final class DeferringObservationReactiveAuthorizationManager<T>
-		implements ReactiveAuthorizationManager<T>, MethodAuthorizationDeniedHandler {
-
-	private final Supplier<ReactiveAuthorizationManager<T>> delegate;
-
-	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
-
-	DeferringObservationReactiveAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
-			ReactiveAuthorizationManager<T> delegate) {
-		this.delegate = SingletonSupplier.of(() -> {
-			ObservationRegistry registry = provider.getIfAvailable(() -> ObservationRegistry.NOOP);
-			if (registry.isNoop()) {
-				return delegate;
-			}
-			return new ObservationReactiveAuthorizationManager<>(registry, delegate);
-		});
-		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
-			this.handler = h;
-		}
-	}
-
-	@Override
-	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
-		return this.delegate.get().check(authentication, object);
-	}
-
-	@Override
-	public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocation(methodInvocation, authorizationResult);
-	}
-
-	@Override
-	public Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocationResult(methodInvocationResult, authorizationResult);
-	}
-
-}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java

@@ -407,16 +407,6 @@ public class GlobalMethodSecurityConfiguration implements ImportAware, SmartInit
 		this.objectPostProcessor = objectPostProcessor;
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	@Autowired(required = false)
-	public void setObjectPostProcessor(
-			org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor) {
-		this.objectPostProcessor = objectPostProcessor;
-	}
-
 	@Autowired(required = false)
 	public void setMethodSecurityExpressionHandler(List<MethodSecurityExpressionHandler> handlers) {
 		if (handlers.size() != 1) {

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java

@@ -19,8 +19,6 @@ package org.springframework.security.config.annotation.method.configuration;
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
 
 import org.springframework.aop.Advisor;
 import org.springframework.aop.Pointcut;
@@ -33,6 +31,8 @@ import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.context.annotation.ImportBeanDefinitionRegistrar;
 import org.springframework.core.Ordered;
 import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 
 class MethodSecurityAdvisorRegistrar implements ImportBeanDefinitionRegistrar {
@@ -100,7 +100,7 @@ class MethodSecurityAdvisorRegistrar implements ImportBeanDefinitionRegistrar {
 
 		@Nullable
 		@Override
-		public Object invoke(@NotNull MethodInvocation invocation) throws Throwable {
+		public Object invoke(@NonNull MethodInvocation invocation) throws Throwable {
 			return this.advisor.invoke(invocation);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java

@@ -41,6 +41,9 @@ final class MethodSecuritySelector implements ImportSelector {
 	private static final boolean isDataPresent = ClassUtils
 		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
 
+	private static final boolean isWebPresent = ClassUtils
+		.isPresent("org.springframework.web.servlet.DispatcherServlet", null);
+
 	private static final boolean isObservabilityPresent = ClassUtils
 		.isPresent("io.micrometer.observation.ObservationRegistry", null);
 
@@ -67,6 +70,9 @@ final class MethodSecuritySelector implements ImportSelector {
 		if (isDataPresent) {
 			imports.add(AuthorizationProxyDataConfiguration.class.getName());
 		}
+		if (isWebPresent) {
+			imports.add(AuthorizationProxyWebConfiguration.class.getName());
+		}
 		if (isObservabilityPresent) {
 			imports.add(MethodObservationConfiguration.class.getName());
 		}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java

@@ -46,7 +46,6 @@ import org.springframework.security.authorization.method.PostAuthorizeAuthorizat
 import org.springframework.security.authorization.method.PostFilterAuthorizationMethodInterceptor;
 import org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager;
 import org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor;
-import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
@@ -130,14 +129,6 @@ final class PrePostMethodSecurityConfiguration implements ImportAware, Applicati
 		this.postFilterMethodInterceptor.setTemplateDefaults(templateDefaults);
 	}
 
-	@Autowired(required = false)
-	void setTemplateDefaults(PrePostTemplateDefaults templateDefaults) {
-		this.preFilterMethodInterceptor.setTemplateDefaults(templateDefaults);
-		this.preAuthorizeAuthorizationManager.setTemplateDefaults(templateDefaults);
-		this.postAuthorizeAuthorizationManager.setTemplateDefaults(templateDefaults);
-		this.postFilterMethodInterceptor.setTemplateDefaults(templateDefaults);
-	}
-
 	@Autowired(required = false)
 	void setExpressionHandler(MethodSecurityExpressionHandler expressionHandler) {
 		this.preFilterMethodInterceptor.setExpressionHandler(expressionHandler);

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java

@@ -42,7 +42,6 @@ import org.springframework.security.authorization.method.PostAuthorizeReactiveAu
 import org.springframework.security.authorization.method.PostFilterAuthorizationReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.PreAuthorizeReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.PreFilterAuthorizationReactiveMethodInterceptor;
-import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
@@ -112,14 +111,6 @@ final class ReactiveAuthorizationManagerMethodSecurityConfiguration
 		this.postAuthorizeAuthorizationManager.setApplicationContext(context);
 	}
 
-	@Autowired(required = false)
-	void setTemplateDefaults(PrePostTemplateDefaults templateDefaults) {
-		this.preFilterMethodInterceptor.setTemplateDefaults(templateDefaults);
-		this.preAuthorizeAuthorizationManager.setTemplateDefaults(templateDefaults);
-		this.postAuthorizeAuthorizationManager.setTemplateDefaults(templateDefaults);
-		this.postFilterMethodInterceptor.setTemplateDefaults(templateDefaults);
-	}
-
 	@Autowired(required = false)
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDefaults) {
 		this.preFilterMethodInterceptor.setTemplateDefaults(templateDefaults);

config/src/main/java/org/springframework/security/config/annotation/rsocket/PayloadInterceptorOrder.java

@@ -33,12 +33,16 @@ public enum PayloadInterceptorOrder implements Ordered {
 	/**
 	 * Where basic authentication is placed.
 	 * @see RSocketSecurity#basicAuthentication(Customizer)
+	 * @deprecated please see {@link PayloadInterceptorOrder#AUTHENTICATION}
 	 */
+	@Deprecated
 	BASIC_AUTHENTICATION,
 	/**
 	 * Where JWT based authentication is performed.
 	 * @see RSocketSecurity#jwt(Customizer)
+	 * @deprecated please see {@link PayloadInterceptorOrder#AUTHENTICATION}
 	 */
+	@Deprecated
 	JWT_AUTHENTICATION,
 	/**
 	 * A generic placeholder for other types of authentication.

config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java

@@ -109,6 +109,7 @@ import org.springframework.security.rsocket.util.matcher.RoutePayloadExchangeMat
  * @author Manuel Tejeda
  * @author Ebert Toribio
  * @author Ngoc Nhan
+ * @author Andrey Litvitski
  * @since 5.2
  */
 public class RSocketSecurity {
@@ -119,6 +120,8 @@ public class RSocketSecurity {
 
 	private SimpleAuthenticationSpec simpleAuthSpec;
 
+	private AnonymousAuthenticationSpec anonymousAuthSpec = new AnonymousAuthenticationSpec(this);
+
 	private JwtSpec jwtSpec;
 
 	private AuthorizePayloadsSpec authorizePayload;
@@ -164,6 +167,20 @@ public class RSocketSecurity {
 		return this;
 	}
 
+	/**
+	 * Adds anonymous authentication
+	 * @param anonymous a customizer
+	 * @return this instance
+	 * @since 7.0
+	 */
+	public RSocketSecurity anonymous(Customizer<AnonymousAuthenticationSpec> anonymous) {
+		if (this.anonymousAuthSpec == null) {
+			this.anonymousAuthSpec = new AnonymousAuthenticationSpec(this);
+		}
+		anonymous.customize(this.anonymousAuthSpec);
+		return this;
+	}
+
 	/**
 	 * Adds authentication with BasicAuthenticationPayloadExchangeConverter.
 	 * @param basic
@@ -214,7 +231,9 @@ public class RSocketSecurity {
 		if (this.jwtSpec != null) {
 			result.addAll(this.jwtSpec.build());
 		}
-		result.add(anonymous());
+		if (this.anonymousAuthSpec != null) {
+			result.add(this.anonymousAuthSpec.build());
+		}
 		if (this.authorizePayload != null) {
 			result.add(this.authorizePayload.build());
 		}
@@ -222,12 +241,6 @@ public class RSocketSecurity {
 		return result;
 	}
 
-	private AnonymousPayloadInterceptor anonymous() {
-		AnonymousPayloadInterceptor result = new AnonymousPayloadInterceptor("anonymousUser");
-		result.setOrder(PayloadInterceptorOrder.ANONYMOUS.getOrder());
-		return result;
-	}
-
 	private <T> T getBean(Class<T> beanClass) {
 		if (this.context == null) {
 			return null;
@@ -283,6 +296,26 @@ public class RSocketSecurity {
 
 	}
 
+	public final class AnonymousAuthenticationSpec {
+
+		private RSocketSecurity parent;
+
+		private AnonymousAuthenticationSpec(RSocketSecurity parent) {
+			this.parent = parent;
+		}
+
+		protected AnonymousPayloadInterceptor build() {
+			AnonymousPayloadInterceptor result = new AnonymousPayloadInterceptor("anonymousUser");
+			result.setOrder(PayloadInterceptorOrder.ANONYMOUS.getOrder());
+			return result;
+		}
+
+		public void disable() {
+			this.parent.anonymousAuthSpec = null;
+		}
+
+	}
+
 	public final class BasicAuthenticationSpec {
 
 		private ReactiveAuthenticationManager authenticationManager;

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -18,41 +18,22 @@ package org.springframework.security.config.annotation.web;
 
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collection;
-import java.util.LinkedHashMap;
 import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.atomic.AtomicReference;
-import java.util.function.Function;
 
 import jakarta.servlet.DispatcherType;
-import jakarta.servlet.ServletContext;
-import jakarta.servlet.ServletRegistration;
-import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import org.springframework.beans.factory.NoSuchBeanDefinitionException;
-import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.context.ApplicationContext;
-import org.springframework.core.ResolvableType;
 import org.springframework.http.HttpMethod;
 import org.springframework.lang.Nullable;
-import org.springframework.security.config.ObjectPostProcessor;
-import org.springframework.security.config.annotation.web.configurers.AbstractConfigAttributeRequestMatcherRegistry;
-import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher;
-import org.springframework.security.web.util.matcher.OrRequestMatcher;
-import org.springframework.security.web.util.matcher.RegexRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
-import org.springframework.util.ClassUtils;
-import org.springframework.web.context.WebApplicationContext;
-import org.springframework.web.servlet.DispatcherServlet;
-import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
+import org.springframework.util.function.ThrowingSupplier;
 
 /**
  * A base class for registering {@link RequestMatcher}'s. For example, it might allow for
@@ -65,25 +46,16 @@ import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
  */
 public abstract class AbstractRequestMatcherRegistry<C> {
 
-	private static final String HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector";
-
-	private static final String HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector";
-
-	private static final boolean mvcPresent;
-
 	private static final RequestMatcher ANY_REQUEST = AnyRequestMatcher.INSTANCE;
 
 	private ApplicationContext context;
 
 	private boolean anyRequestConfigured = false;
 
-	static {
-		mvcPresent = ClassUtils.isPresent(HANDLER_MAPPING_INTROSPECTOR,
-				AbstractRequestMatcherRegistry.class.getClassLoader());
-	}
-
 	private final Log logger = LogFactory.getLog(getClass());
 
+	private PathPatternRequestMatcher.Builder requestMatcherBuilder;
+
 	protected final void setApplicationContext(ApplicationContext context) {
 		this.context = context;
 	}
@@ -107,36 +79,6 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		return configurer;
 	}
 
-	/**
-	 * Creates {@link MvcRequestMatcher} instances for the method and patterns passed in
-	 * @param method the HTTP method to use or null if any should be used
-	 * @param mvcPatterns the Spring MVC patterns to match on
-	 * @return a List of {@link MvcRequestMatcher} instances
-	 */
-	protected final List<MvcRequestMatcher> createMvcMatchers(HttpMethod method, String... mvcPatterns) {
-		Assert.state(!this.anyRequestConfigured, "Can't configure mvcMatchers after anyRequest");
-		ResolvableType type = ResolvableType.forClassWithGenerics(ObjectPostProcessor.class, Object.class);
-		ObjectProvider<ObjectPostProcessor<Object>> postProcessors = this.context.getBeanProvider(type);
-		ObjectPostProcessor<Object> opp = postProcessors.getObject();
-		if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
-			throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
-					+ " of type " + HandlerMappingIntrospector.class.getName()
-					+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
-		}
-		HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
-				HandlerMappingIntrospector.class);
-		List<MvcRequestMatcher> matchers = new ArrayList<>(mvcPatterns.length);
-		for (String mvcPattern : mvcPatterns) {
-			MvcRequestMatcher matcher = new MvcRequestMatcher(introspector, mvcPattern);
-			opp.postProcess(matcher);
-			if (method != null) {
-				matcher.setMethod(method);
-			}
-			matchers.add(matcher);
-		}
-		return matchers;
-	}
-
 	/**
 	 * Maps a {@link List} of
 	 * {@link org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher}
@@ -169,7 +111,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 
 	/**
 	 * Associates a list of {@link RequestMatcher} instances with the
-	 * {@link AbstractConfigAttributeRequestMatcherRegistry}
+	 * {@link AbstractRequestMatcherRegistry}
 	 * @param requestMatchers the {@link RequestMatcher} instances
 	 * @return the object that is chained after creating the {@link RequestMatcher}
 	 */
@@ -180,12 +122,9 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 
 	/**
 	 * <p>
-	 * If the {@link HandlerMappingIntrospector} is available in the classpath, maps to an
-	 * {@link MvcRequestMatcher} that also specifies a specific {@link HttpMethod} to
-	 * match on. This matcher will use the same rules that Spring MVC uses for matching.
-	 * For example, often times a mapping of the path "/path" will match on "/path",
-	 * "/path/", "/path.html", etc. If the {@link HandlerMappingIntrospector} is not
-	 * available, maps to an {@link AntPathRequestMatcher}.
+	 * Match when the {@link HttpMethod} is {@code method} and when the request URI
+	 * matches one of {@code patterns}. See
+	 * {@link org.springframework.web.util.pattern.PathPattern} for matching rules.
 	 * </p>
 	 * <p>
 	 * If a specific {@link RequestMatcher} must be specified, use
@@ -193,8 +132,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 	 * </p>
 	 * @param method the {@link HttpMethod} to use or {@code null} for any
 	 * {@link HttpMethod}.
-	 * @param patterns the patterns to match on. The rules for matching are defined by
-	 * Spring MVC if {@link MvcRequestMatcher} is used
+	 * @param patterns the patterns to match on
 	 * @return the object that is chained after creating the {@link RequestMatcher}.
 	 * @since 5.8
 	 */
@@ -205,26 +143,32 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 					+ "leading slash in all your request matcher patterns. In future versions of "
 					+ "Spring Security, leaving out the leading slash will result in an exception.");
 		}
-		if (!mvcPresent) {
-			return requestMatchers(RequestMatchers.antMatchersAsArray(method, patterns));
-		}
-		if (!(this.context instanceof WebApplicationContext)) {
-			return requestMatchers(RequestMatchers.antMatchersAsArray(method, patterns));
-		}
-		WebApplicationContext context = (WebApplicationContext) this.context;
-		ServletContext servletContext = context.getServletContext();
-		if (servletContext == null) {
-			return requestMatchers(RequestMatchers.antMatchersAsArray(method, patterns));
-		}
+		Assert.state(!this.anyRequestConfigured, "Can't configure requestMatchers after anyRequest");
+		PathPatternRequestMatcher.Builder builder = getRequestMatcherBuilder();
 		List<RequestMatcher> matchers = new ArrayList<>();
 		for (String pattern : patterns) {
-			AntPathRequestMatcher ant = new AntPathRequestMatcher(pattern, (method != null) ? method.name() : null);
-			MvcRequestMatcher mvc = createMvcMatchers(method, pattern).get(0);
-			matchers.add(new DeferredRequestMatcher((c) -> resolve(ant, mvc, c), mvc, ant));
+			matchers.add(builder.matcher(method, pattern));
 		}
 		return requestMatchers(matchers.toArray(new RequestMatcher[0]));
 	}
 
+	private PathPatternRequestMatcher.Builder getRequestMatcherBuilder() {
+		if (this.requestMatcherBuilder != null) {
+			return this.requestMatcherBuilder;
+		}
+		this.requestMatcherBuilder = this.context.getBeanProvider(PathPatternRequestMatcher.Builder.class)
+			.getIfUnique(() -> constructRequestMatcherBuilder(this.context));
+		return this.requestMatcherBuilder;
+	}
+
+	private PathPatternRequestMatcher.Builder constructRequestMatcherBuilder(ApplicationContext context) {
+		PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder = new PathPatternRequestMatcherBuilderFactoryBean();
+		requestMatcherBuilder.setApplicationContext(context);
+		requestMatcherBuilder.setBeanFactory(context.getAutowireCapableBeanFactory());
+		requestMatcherBuilder.setBeanName(requestMatcherBuilder.toString());
+		return ThrowingSupplier.of(requestMatcherBuilder::getObject).get();
+	}
+
 	private boolean anyPathsDontStartWithLeadingSlash(String... patterns) {
 		for (String pattern : patterns) {
 			if (!pattern.startsWith("/")) {
@@ -234,134 +178,16 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		return false;
 	}
 
-	private RequestMatcher resolve(AntPathRequestMatcher ant, MvcRequestMatcher mvc, ServletContext servletContext) {
-		Map<String, ? extends ServletRegistration> registrations = mappableServletRegistrations(servletContext);
-		if (registrations.isEmpty()) {
-			return new DispatcherServletDelegatingRequestMatcher(ant, mvc, new MockMvcRequestMatcher());
-		}
-		if (!hasDispatcherServlet(registrations)) {
-			return new DispatcherServletDelegatingRequestMatcher(ant, mvc, new MockMvcRequestMatcher());
-		}
-		ServletRegistration dispatcherServlet = requireOneRootDispatcherServlet(registrations);
-		if (dispatcherServlet != null) {
-			if (registrations.size() == 1) {
-				return mvc;
-			}
-			return new DispatcherServletDelegatingRequestMatcher(ant, mvc, servletContext);
-		}
-		dispatcherServlet = requireOnlyPathMappedDispatcherServlet(registrations);
-		if (dispatcherServlet != null) {
-			String mapping = dispatcherServlet.getMappings().iterator().next();
-			mvc.setServletPath(mapping.substring(0, mapping.length() - 2));
-			return mvc;
-		}
-		String errorMessage = computeErrorMessage(registrations.values());
-		throw new IllegalArgumentException(errorMessage);
-	}
-
-	private Map<String, ? extends ServletRegistration> mappableServletRegistrations(ServletContext servletContext) {
-		Map<String, ServletRegistration> mappable = new LinkedHashMap<>();
-		for (Map.Entry<String, ? extends ServletRegistration> entry : servletContext.getServletRegistrations()
-			.entrySet()) {
-			if (!entry.getValue().getMappings().isEmpty()) {
-				mappable.put(entry.getKey(), entry.getValue());
-			}
-		}
-		return mappable;
-	}
-
-	private boolean hasDispatcherServlet(Map<String, ? extends ServletRegistration> registrations) {
-		if (registrations == null) {
-			return false;
-		}
-		for (ServletRegistration registration : registrations.values()) {
-			if (isDispatcherServlet(registration)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	private ServletRegistration requireOneRootDispatcherServlet(
-			Map<String, ? extends ServletRegistration> registrations) {
-		ServletRegistration rootDispatcherServlet = null;
-		for (ServletRegistration registration : registrations.values()) {
-			if (!isDispatcherServlet(registration)) {
-				continue;
-			}
-			if (registration.getMappings().size() > 1) {
-				return null;
-			}
-			if (!"/".equals(registration.getMappings().iterator().next())) {
-				return null;
-			}
-			rootDispatcherServlet = registration;
-		}
-		return rootDispatcherServlet;
-	}
-
-	private ServletRegistration requireOnlyPathMappedDispatcherServlet(
-			Map<String, ? extends ServletRegistration> registrations) {
-		ServletRegistration pathDispatcherServlet = null;
-		for (ServletRegistration registration : registrations.values()) {
-			if (!isDispatcherServlet(registration)) {
-				return null;
-			}
-			if (registration.getMappings().size() > 1) {
-				return null;
-			}
-			String mapping = registration.getMappings().iterator().next();
-			if (!mapping.startsWith("/") || !mapping.endsWith("/*")) {
-				return null;
-			}
-			if (pathDispatcherServlet != null) {
-				return null;
-			}
-			pathDispatcherServlet = registration;
-		}
-		return pathDispatcherServlet;
-	}
-
-	private boolean isDispatcherServlet(ServletRegistration registration) {
-		Class<?> dispatcherServlet = ClassUtils.resolveClassName("org.springframework.web.servlet.DispatcherServlet",
-				null);
-		try {
-			Class<?> clazz = Class.forName(registration.getClassName());
-			return dispatcherServlet.isAssignableFrom(clazz);
-		}
-		catch (ClassNotFoundException ex) {
-			return false;
-		}
-	}
-
-	private static String computeErrorMessage(Collection<? extends ServletRegistration> registrations) {
-		String template = "This method cannot decide whether these patterns are Spring MVC patterns or not. "
-				+ "If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); "
-				+ "otherwise, please use requestMatchers(AntPathRequestMatcher).\n\n"
-				+ "This is because there is more than one mappable servlet in your servlet context: %s.\n\n"
-				+ "For each MvcRequestMatcher, call MvcRequestMatcher#setServletPath to indicate the servlet path.";
-		Map<String, Collection<String>> mappings = new LinkedHashMap<>();
-		for (ServletRegistration registration : registrations) {
-			mappings.put(registration.getClassName(), registration.getMappings());
-		}
-		return String.format(template, mappings);
-	}
-
 	/**
 	 * <p>
-	 * If the {@link HandlerMappingIntrospector} is available in the classpath, maps to an
-	 * {@link MvcRequestMatcher} that does not care which {@link HttpMethod} is used. This
-	 * matcher will use the same rules that Spring MVC uses for matching. For example,
-	 * often times a mapping of the path "/path" will match on "/path", "/path/",
-	 * "/path.html", etc. If the {@link HandlerMappingIntrospector} is not available, maps
-	 * to an {@link AntPathRequestMatcher}.
+	 * Match when the request URI matches one of {@code patterns}. See
+	 * {@link org.springframework.web.util.pattern.PathPattern} for matching rules.
 	 * </p>
 	 * <p>
 	 * If a specific {@link RequestMatcher} must be specified, use
 	 * {@link #requestMatchers(RequestMatcher...)} instead
 	 * </p>
-	 * @param patterns the patterns to match on. The rules for matching are defined by
-	 * Spring MVC if {@link MvcRequestMatcher} is used
+	 * @param patterns the patterns to match on
 	 * @return the object that is chained after creating the {@link RequestMatcher}.
 	 * @since 5.8
 	 */
@@ -371,12 +197,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 
 	/**
 	 * <p>
-	 * If the {@link HandlerMappingIntrospector} is available in the classpath, maps to an
-	 * {@link MvcRequestMatcher} that matches on a specific {@link HttpMethod}. This
-	 * matcher will use the same rules that Spring MVC uses for matching. For example,
-	 * often times a mapping of the path "/path" will match on "/path", "/path/",
-	 * "/path.html", etc. If the {@link HandlerMappingIntrospector} is not available, maps
-	 * to an {@link AntPathRequestMatcher}.
+	 * Match when the {@link HttpMethod} is {@code method}
 	 * </p>
 	 * <p>
 	 * If a specific {@link RequestMatcher} must be specified, use
@@ -400,190 +221,4 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 	 */
 	protected abstract C chainRequestMatchers(List<RequestMatcher> requestMatchers);
 
-	/**
-	 * Utilities for creating {@link RequestMatcher} instances.
-	 *
-	 * @author Rob Winch
-	 * @since 3.2
-	 */
-	private static final class RequestMatchers {
-
-		private RequestMatchers() {
-		}
-
-		/**
-		 * Create a {@link List} of {@link AntPathRequestMatcher} instances.
-		 * @param httpMethod the {@link HttpMethod} to use or {@code null} for any
-		 * {@link HttpMethod}.
-		 * @param antPatterns the ant patterns to create {@link AntPathRequestMatcher}
-		 * from
-		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
-		 */
-		static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
-			return Arrays.asList(antMatchersAsArray(httpMethod, antPatterns));
-		}
-
-		/**
-		 * Create a {@link List} of {@link AntPathRequestMatcher} instances that do not
-		 * specify an {@link HttpMethod}.
-		 * @param antPatterns the ant patterns to create {@link AntPathRequestMatcher}
-		 * from
-		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
-		 */
-		static List<RequestMatcher> antMatchers(String... antPatterns) {
-			return antMatchers(null, antPatterns);
-		}
-
-		static RequestMatcher[] antMatchersAsArray(HttpMethod httpMethod, String... antPatterns) {
-			String method = (httpMethod != null) ? httpMethod.toString() : null;
-			RequestMatcher[] matchers = new RequestMatcher[antPatterns.length];
-			for (int index = 0; index < antPatterns.length; index++) {
-				matchers[index] = new AntPathRequestMatcher(antPatterns[index], method);
-			}
-			return matchers;
-		}
-
-		/**
-		 * Create a {@link List} of {@link RegexRequestMatcher} instances.
-		 * @param httpMethod the {@link HttpMethod} to use or {@code null} for any
-		 * {@link HttpMethod}.
-		 * @param regexPatterns the regular expressions to create
-		 * {@link RegexRequestMatcher} from
-		 * @return a {@link List} of {@link RegexRequestMatcher} instances
-		 */
-		static List<RequestMatcher> regexMatchers(HttpMethod httpMethod, String... regexPatterns) {
-			String method = (httpMethod != null) ? httpMethod.toString() : null;
-			List<RequestMatcher> matchers = new ArrayList<>();
-			for (String pattern : regexPatterns) {
-				matchers.add(new RegexRequestMatcher(pattern, method));
-			}
-			return matchers;
-		}
-
-		/**
-		 * Create a {@link List} of {@link RegexRequestMatcher} instances that do not
-		 * specify an {@link HttpMethod}.
-		 * @param regexPatterns the regular expressions to create
-		 * {@link RegexRequestMatcher} from
-		 * @return a {@link List} of {@link RegexRequestMatcher} instances
-		 */
-		static List<RequestMatcher> regexMatchers(String... regexPatterns) {
-			return regexMatchers(null, regexPatterns);
-		}
-
-	}
-
-	static class DeferredRequestMatcher implements RequestMatcher {
-
-		final Function<ServletContext, RequestMatcher> requestMatcherFactory;
-
-		final AtomicReference<String> description = new AtomicReference<>();
-
-		final Map<ServletContext, RequestMatcher> requestMatchers = new ConcurrentHashMap<>();
-
-		DeferredRequestMatcher(Function<ServletContext, RequestMatcher> resolver, RequestMatcher... candidates) {
-			this.requestMatcherFactory = (sc) -> this.requestMatchers.computeIfAbsent(sc, resolver);
-			this.description.set("Deferred " + Arrays.toString(candidates));
-		}
-
-		RequestMatcher requestMatcher(ServletContext servletContext) {
-			return this.requestMatcherFactory.apply(servletContext);
-		}
-
-		@Override
-		public boolean matches(HttpServletRequest request) {
-			return this.requestMatcherFactory.apply(request.getServletContext()).matches(request);
-		}
-
-		@Override
-		public MatchResult matcher(HttpServletRequest request) {
-			return this.requestMatcherFactory.apply(request.getServletContext()).matcher(request);
-		}
-
-		@Override
-		public String toString() {
-			return this.description.get();
-		}
-
-	}
-
-	static class MockMvcRequestMatcher implements RequestMatcher {
-
-		@Override
-		public boolean matches(HttpServletRequest request) {
-			return request.getAttribute("org.springframework.test.web.servlet.MockMvc.MVC_RESULT_ATTRIBUTE") != null;
-		}
-
-	}
-
-	static class DispatcherServletRequestMatcher implements RequestMatcher {
-
-		private final ServletContext servletContext;
-
-		DispatcherServletRequestMatcher(ServletContext servletContext) {
-			this.servletContext = servletContext;
-		}
-
-		@Override
-		public boolean matches(HttpServletRequest request) {
-			String name = request.getHttpServletMapping().getServletName();
-			ServletRegistration registration = this.servletContext.getServletRegistration(name);
-			Assert.notNull(registration,
-					() -> computeErrorMessage(this.servletContext.getServletRegistrations().values()));
-			try {
-				Class<?> clazz = Class.forName(registration.getClassName());
-				return DispatcherServlet.class.isAssignableFrom(clazz);
-			}
-			catch (ClassNotFoundException ex) {
-				return false;
-			}
-		}
-
-	}
-
-	static class DispatcherServletDelegatingRequestMatcher implements RequestMatcher {
-
-		private final AntPathRequestMatcher ant;
-
-		private final MvcRequestMatcher mvc;
-
-		private final RequestMatcher dispatcherServlet;
-
-		DispatcherServletDelegatingRequestMatcher(AntPathRequestMatcher ant, MvcRequestMatcher mvc,
-				ServletContext servletContext) {
-			this(ant, mvc, new OrRequestMatcher(new MockMvcRequestMatcher(),
-					new DispatcherServletRequestMatcher(servletContext)));
-		}
-
-		DispatcherServletDelegatingRequestMatcher(AntPathRequestMatcher ant, MvcRequestMatcher mvc,
-				RequestMatcher dispatcherServlet) {
-			this.ant = ant;
-			this.mvc = mvc;
-			this.dispatcherServlet = dispatcherServlet;
-		}
-
-		RequestMatcher requestMatcher(HttpServletRequest request) {
-			if (this.dispatcherServlet.matches(request)) {
-				return this.mvc;
-			}
-			return this.ant;
-		}
-
-		@Override
-		public boolean matches(HttpServletRequest request) {
-			return requestMatcher(request).matches(request);
-		}
-
-		@Override
-		public MatchResult matcher(HttpServletRequest request) {
-			return requestMatcher(request).matcher(request);
-		}
-
-		@Override
-		public String toString() {
-			return "DispatcherServletDelegating [" + "ant = " + this.ant + ", mvc = " + this.mvc + "]";
-		}
-
-	}
-
 }

config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java

@@ -135,6 +135,7 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>>
 	 * <li>{@link DisableEncodeUrlFilter}</li>
 	 * <li>{@link ForceEagerSessionCreationFilter}</li>
 	 * <li>{@link ChannelProcessingFilter}</li>
+	 * <li>{@link org.springframework.security.web.transport.HttpsRedirectFilter}</li>
 	 * <li>{@link WebAsyncManagerIntegrationFilter}</li>
 	 * <li>{@link SecurityContextHolderFilter}</li>
 	 * <li>{@link SecurityContextPersistenceFilter}</li>

config/src/main/java/org/springframework/security/config/annotation/web/ServletRegistrationsSupport.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Map;
+
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.ServletRegistration;
+
+import org.springframework.util.ClassUtils;
+
+class ServletRegistrationsSupport {
+
+	private final Collection<RegistrationMapping> registrations;
+
+	ServletRegistrationsSupport(ServletContext servletContext) {
+		Map<String, ? extends ServletRegistration> registrations = servletContext.getServletRegistrations();
+		Collection<RegistrationMapping> mappings = new ArrayList<>();
+		for (Map.Entry<String, ? extends ServletRegistration> entry : registrations.entrySet()) {
+			if (!entry.getValue().getMappings().isEmpty()) {
+				for (String mapping : entry.getValue().getMappings()) {
+					mappings.add(new RegistrationMapping(entry.getValue(), mapping));
+				}
+			}
+		}
+		this.registrations = mappings;
+	}
+
+	Collection<RegistrationMapping> dispatcherServletMappings() {
+		Collection<RegistrationMapping> mappings = new ArrayList<>();
+		for (RegistrationMapping registration : this.registrations) {
+			if (registration.isDispatcherServlet()) {
+				mappings.add(registration);
+			}
+		}
+		return mappings;
+	}
+
+	Collection<RegistrationMapping> mappings() {
+		return this.registrations;
+	}
+
+	record RegistrationMapping(ServletRegistration registration, String mapping) {
+		boolean isDispatcherServlet() {
+			Class<?> dispatcherServlet = ClassUtils
+				.resolveClassName("org.springframework.web.servlet.DispatcherServlet", null);
+			try {
+				Class<?> clazz = Class.forName(this.registration.getClassName());
+				return dispatcherServlet.isAssignableFrom(clazz);
+			}
+			catch (ClassNotFoundException ex) {
+				return false;
+			}
+		}
+
+		boolean isDefault() {
+			return "/".equals(this.mapping);
+		}
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java

@@ -31,6 +31,7 @@ import org.springframework.security.web.authentication.AuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.security.web.authentication.ott.GenerateOneTimeTokenFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
@@ -53,6 +54,7 @@ import org.springframework.security.web.session.ConcurrentSessionFilter;
 import org.springframework.security.web.session.DisableEncodeUrlFilter;
 import org.springframework.security.web.session.ForceEagerSessionCreationFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
+import org.springframework.security.web.transport.HttpsRedirectFilter;
 import org.springframework.web.filter.CorsFilter;
 
 /**
@@ -77,6 +79,7 @@ final class FilterOrderRegistration {
 		put(DisableEncodeUrlFilter.class, order.next());
 		put(ForceEagerSessionCreationFilter.class, order.next());
 		put(ChannelProcessingFilter.class, order.next());
+		put(HttpsRedirectFilter.class, order.next());
 		order.next(); // gh-8105
 		put(WebAsyncManagerIntegrationFilter.class, order.next());
 		put(SecurityContextHolderFilter.class, order.next());
@@ -101,6 +104,7 @@ final class FilterOrderRegistration {
 				"org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter",
 				order.next());
 		put(UsernamePasswordAuthenticationFilter.class, order.next());
+		put(OneTimeTokenAuthenticationFilter.class, order.next());
 		order.next(); // gh-8105
 		put(DefaultResourcesFilter.class, order.next());
 		put(DefaultLoginPageGeneratingFilter.class, order.next());

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -35,7 +35,9 @@ import org.springframework.core.ResolvableType;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.SingleResultAuthorizationManager;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder;
 import org.springframework.security.config.annotation.SecurityBuilder;
@@ -53,11 +55,14 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer;
 import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
+import org.springframework.security.web.access.PathPatternRequestTransformer;
 import org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
+import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
 import org.springframework.security.web.firewall.HttpFirewall;
@@ -135,14 +140,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		super(objectPostProcessor);
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	public WebSecurity(org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor) {
-		super(objectPostProcessor);
-	}
-
 	/**
 	 * <p>
 	 * Allows adding {@link RequestMatcher} instances that Spring Security should ignore.
@@ -231,8 +228,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	/**
 	 * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is not
-	 * specified, then a {@link RequestMatcherDelegatingWebInvocationPrivilegeEvaluator}
-	 * will be created based on the list of {@link SecurityFilterChain}.
+	 * specified, then a {@link AuthorizationManagerWebInvocationPrivilegeEvaluator} will
+	 * be created based on the list of {@link SecurityFilterChain}.
 	 * @param privilegeEvaluator the {@link WebInvocationPrivilegeEvaluator} to use
 	 * @return the {@link WebSecurity} for further customizations
 	 */
@@ -301,36 +298,33 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 						+ ".addSecurityFilterChainBuilder directly");
 		int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();
 		List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
-		List<RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>>> requestMatcherPrivilegeEvaluatorsEntries = new ArrayList<>();
+		RequestMatcherDelegatingAuthorizationManager.Builder builder = RequestMatcherDelegatingAuthorizationManager
+			.builder();
+		boolean mappings = false;
 		for (RequestMatcher ignoredRequest : this.ignoredRequests) {
 			WebSecurity.this.logger.warn("You are asking Spring Security to ignore " + ignoredRequest
 					+ ". This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.");
 			SecurityFilterChain securityFilterChain = new DefaultSecurityFilterChain(ignoredRequest);
 			securityFilterChains.add(securityFilterChain);
-			requestMatcherPrivilegeEvaluatorsEntries
-				.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
+			builder.add(ignoredRequest, SingleResultAuthorizationManager.permitAll());
+			mappings = true;
 		}
-		DefaultSecurityFilterChain anyRequestFilterChain = null;
 		for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
 			SecurityFilterChain securityFilterChain = securityFilterChainBuilder.build();
-			if (anyRequestFilterChain != null) {
-				String message = "A filter chain that matches any request [" + anyRequestFilterChain
-						+ "] has already been configured, which means that this filter chain [" + securityFilterChain
-						+ "] will never get invoked. Please use `HttpSecurity#securityMatcher` to ensure that there is only one filter chain configured for 'any request' and that the 'any request' filter chain is published last.";
-				throw new IllegalArgumentException(message);
-			}
-			if (securityFilterChain instanceof DefaultSecurityFilterChain defaultSecurityFilterChain) {
-				if (defaultSecurityFilterChain.getRequestMatcher() instanceof AnyRequestMatcher) {
-					anyRequestFilterChain = defaultSecurityFilterChain;
-				}
-			}
 			securityFilterChains.add(securityFilterChain);
-			requestMatcherPrivilegeEvaluatorsEntries
-				.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
+			mappings = addAuthorizationManager(securityFilterChain, builder) || mappings;
 		}
 		if (this.privilegeEvaluator == null) {
+			AuthorizationManager<HttpServletRequest> authorizationManager = mappings ? builder.build()
+					: SingleResultAuthorizationManager.permitAll();
+			AuthorizationManagerWebInvocationPrivilegeEvaluator privilegeEvaluator = new AuthorizationManagerWebInvocationPrivilegeEvaluator(
+					authorizationManager);
+			privilegeEvaluator.setServletContext(this.servletContext);
+			if (this.privilegeEvaluatorRequestTransformer != null) {
+				privilegeEvaluator.setRequestTransformer(this.privilegeEvaluatorRequestTransformer);
+			}
 			this.privilegeEvaluator = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
-					requestMatcherPrivilegeEvaluatorsEntries);
+					List.of(new RequestMatcherEntry<>(AnyRequestMatcher.INSTANCE, List.of(privilegeEvaluator))));
 		}
 		FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
 		if (this.httpFirewall != null) {
@@ -345,6 +339,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 					new HttpStatusRequestRejectedHandler());
 			filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
 		}
+		filterChainProxy.setFilterChainValidator(new WebSecurityFilterChainValidator());
 		filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
 		filterChainProxy.afterPropertiesSet();
 
@@ -362,30 +357,33 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		return result;
 	}
 
-	private RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> getRequestMatcherPrivilegeEvaluatorsEntry(
-			SecurityFilterChain securityFilterChain) {
-		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = new ArrayList<>();
+	private boolean addAuthorizationManager(SecurityFilterChain securityFilterChain,
+			RequestMatcherDelegatingAuthorizationManager.Builder builder) {
+		boolean mappings = false;
 		for (Filter filter : securityFilterChain.getFilters()) {
-			if (filter instanceof FilterSecurityInterceptor) {
-				DefaultWebInvocationPrivilegeEvaluator defaultWebInvocationPrivilegeEvaluator = new DefaultWebInvocationPrivilegeEvaluator(
-						(FilterSecurityInterceptor) filter);
-				defaultWebInvocationPrivilegeEvaluator.setServletContext(this.servletContext);
-				privilegeEvaluators.add(defaultWebInvocationPrivilegeEvaluator);
+			if (filter instanceof FilterSecurityInterceptor securityInterceptor) {
+				DefaultWebInvocationPrivilegeEvaluator privilegeEvaluator = new DefaultWebInvocationPrivilegeEvaluator(
+						securityInterceptor);
+				privilegeEvaluator.setServletContext(this.servletContext);
+				AuthorizationManager<RequestAuthorizationContext> authorizationManager = (authentication, context) -> {
+					HttpServletRequest request = context.getRequest();
+					boolean result = privilegeEvaluator.isAllowed(request.getContextPath(), request.getRequestURI(),
+							request.getMethod(), authentication.get());
+					return new AuthorizationDecision(result);
+				};
+				builder.add(securityFilterChain::matches, authorizationManager);
+				mappings = true;
 				continue;
 			}
-			if (filter instanceof AuthorizationFilter) {
-				AuthorizationManager<HttpServletRequest> authorizationManager = ((AuthorizationFilter) filter)
-					.getAuthorizationManager();
-				AuthorizationManagerWebInvocationPrivilegeEvaluator evaluator = new AuthorizationManagerWebInvocationPrivilegeEvaluator(
-						authorizationManager);
-				evaluator.setServletContext(this.servletContext);
-				if (this.privilegeEvaluatorRequestTransformer != null) {
-					evaluator.setRequestTransformer(this.privilegeEvaluatorRequestTransformer);
-				}
-				privilegeEvaluators.add(evaluator);
+			if (filter instanceof AuthorizationFilter authorization) {
+				AuthorizationManager<HttpServletRequest> authorizationManager = authorization.getAuthorizationManager();
+				builder.add(securityFilterChain::matches,
+						(authentication, context) -> (AuthorizationDecision) authorizationManager
+							.authorize(authentication, context.getRequest()));
+				mappings = true;
 			}
 		}
-		return new RequestMatcherEntry<>(securityFilterChain::matches, privilegeEvaluators);
+		return mappings;
 	}
 
 	@Override
@@ -425,7 +423,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		this.filterChainDecoratorPostProcessor = postProcessor.getIfUnique(ObjectPostProcessor::identity);
 		Class<HttpServletRequestTransformer> requestTransformerClass = HttpServletRequestTransformer.class;
 		this.privilegeEvaluatorRequestTransformer = applicationContext.getBeanProvider(requestTransformerClass)
-			.getIfUnique();
+			.getIfUnique(PathPatternRequestTransformer::new);
 	}
 
 	@Override

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.builders;
+
+import java.util.List;
+
+import jakarta.servlet.Filter;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.UnreachableFilterChainException;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+
+/**
+ * A filter chain validator for filter chains built by {@link WebSecurity}
+ *
+ * @author Josh Cummings
+ * @author Max Batischev
+ * @since 6.5
+ */
+final class WebSecurityFilterChainValidator implements FilterChainProxy.FilterChainValidator {
+
+	private final Log logger = LogFactory.getLog(getClass());
+
+	@Override
+	public void validate(FilterChainProxy filterChainProxy) {
+		List<SecurityFilterChain> chains = filterChainProxy.getFilterChains();
+		checkForAnyRequestRequestMatcher(chains);
+		checkForDuplicateMatchers(chains);
+		checkAuthorizationFilters(chains);
+	}
+
+	private void checkForAnyRequestRequestMatcher(List<SecurityFilterChain> chains) {
+		DefaultSecurityFilterChain anyRequestFilterChain = null;
+		for (SecurityFilterChain chain : chains) {
+			if (anyRequestFilterChain != null) {
+				String message = "A filter chain that matches any request [" + anyRequestFilterChain
+						+ "] has already been configured, which means that this filter chain [" + chain
+						+ "] will never get invoked. Please use `HttpSecurity#securityMatcher` to ensure that there is only one filter chain configured for 'any request' and that the 'any request' filter chain is published last.";
+				throw new UnreachableFilterChainException(message, anyRequestFilterChain, chain);
+			}
+			if (chain instanceof DefaultSecurityFilterChain defaultChain) {
+				if (defaultChain.getRequestMatcher() instanceof AnyRequestMatcher) {
+					anyRequestFilterChain = defaultChain;
+				}
+			}
+		}
+	}
+
+	private void checkForDuplicateMatchers(List<SecurityFilterChain> chains) {
+		DefaultSecurityFilterChain filterChain = null;
+		for (SecurityFilterChain chain : chains) {
+			if (filterChain != null) {
+				if (chain instanceof DefaultSecurityFilterChain defaultChain) {
+					if (defaultChain.getRequestMatcher().equals(filterChain.getRequestMatcher())) {
+						throw new UnreachableFilterChainException(
+								"The FilterChainProxy contains two filter chains using the" + " matcher "
+										+ defaultChain.getRequestMatcher(),
+								filterChain, defaultChain);
+					}
+				}
+			}
+			if (chain instanceof DefaultSecurityFilterChain defaultChain) {
+				filterChain = defaultChain;
+			}
+		}
+	}
+
+	private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
+		Filter authorizationFilter = null;
+		Filter filterSecurityInterceptor = null;
+		for (SecurityFilterChain chain : chains) {
+			for (Filter filter : chain.getFilters()) {
+				if (filter instanceof AuthorizationFilter) {
+					authorizationFilter = filter;
+				}
+				if (filter instanceof FilterSecurityInterceptor) {
+					filterSecurityInterceptor = filter;
+				}
+			}
+			if (authorizationFilter != null && filterSecurityInterceptor != null) {
+				this.logger.warn(
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
+			}
+			if (filterSecurityInterceptor != null) {
+				this.logger.warn(
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
+			}
+			authorizationFilter = null;
+			filterSecurityInterceptor = null;
+		}
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java

@@ -46,8 +46,9 @@ import org.springframework.security.web.SecurityFilterChain;
  *
  * 	@Bean
  * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- * 		http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest()
- * 				.hasRole("USER").and()
+ * 		http.authorizeHttpRequests((authorize) -> authorize
+ * 			.requestMatchers("/public/**").permitAll()
+ * 			.anyRequest().hasRole("USER"))
  * 				// Possibly more configuration ...
  * 				.formLogin() // enable form based log in
  * 				// set permitAll for all URLs associated with Form Login

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

@@ -16,19 +16,24 @@
 
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.lang.reflect.Modifier;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Scope;
+import org.springframework.core.MethodParameter;
+import org.springframework.core.ResolvableType;
 import org.springframework.core.io.support.SpringFactoriesLoader;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
@@ -38,12 +43,16 @@ import org.springframework.security.config.annotation.authentication.configurers
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.util.function.ThrowingSupplier;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -123,11 +132,13 @@ class HttpSecurityConfiguration {
 			.requestCache(withDefaults())
 			.anonymous(withDefaults())
 			.servletApi(withDefaults())
-			.apply(new DefaultLoginPageConfigurer<>());
+			.with(new DefaultLoginPageConfigurer<>());
 		http.logout(withDefaults());
 		// @formatter:on
 		applyCorsIfAvailable(http);
 		applyDefaultConfigurers(http);
+		applyHttpSecurityCustomizers(this.context, http);
+		applyTopLevelCustomizers(this.context, http);
 		return http;
 	}
 
@@ -153,17 +164,93 @@ class HttpSecurityConfiguration {
 		List<AbstractHttpConfigurer> defaultHttpConfigurers = SpringFactoriesLoader
 			.loadFactories(AbstractHttpConfigurer.class, classLoader);
 		for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
-			http.apply(configurer);
+			http.with(configurer);
 		}
 	}
 
+	/**
+	 * Applies all {@code Customizer<HttpSecurity>} Bean instances to the
+	 * {@link HttpSecurity} instance.
+	 * @param applicationContext the {@link ApplicationContext} to lookup Bean instances
+	 * @param http the {@link HttpSecurity} to apply the Beans to.
+	 */
+	private void applyHttpSecurityCustomizers(ApplicationContext applicationContext, HttpSecurity http) {
+		ResolvableType httpSecurityCustomizerType = ResolvableType.forClassWithGenerics(Customizer.class,
+				HttpSecurity.class);
+		ObjectProvider<Customizer<HttpSecurity>> customizerProvider = this.context
+			.getBeanProvider(httpSecurityCustomizerType);
+
+		// @formatter:off
+		customizerProvider.orderedStream().forEach((customizer) ->
+				customizer.customize(http)
+		);
+		// @formatter:on
+	}
+
+	/**
+	 * Applies all {@link Customizer} Beans to {@link HttpSecurity}. For each public,
+	 * non-static method in HttpSecurity that accepts a Customizer
+	 * <ul>
+	 * <li>Use the {@link MethodParameter} (this preserves generics) to resolve all Beans
+	 * for that type</li>
+	 * <li>For each {@link Customizer} Bean invoke the {@link java.lang.reflect.Method}
+	 * with the {@link Customizer} Bean as the argument</li>
+	 * </ul>
+	 * @param context the {@link ApplicationContext}
+	 * @param http the {@link HttpSecurity}
+	 * @throws Exception
+	 */
+	private void applyTopLevelCustomizers(ApplicationContext context, HttpSecurity http) {
+		ReflectionUtils.MethodFilter isCustomizerMethod = (method) -> {
+			if (Modifier.isStatic(method.getModifiers())) {
+				return false;
+			}
+			if (!Modifier.isPublic(method.getModifiers())) {
+				return false;
+			}
+			if (!method.canAccess(http)) {
+				return false;
+			}
+			if (method.getParameterCount() != 1) {
+				return false;
+			}
+			if (method.getParameterTypes()[0] == Customizer.class) {
+				return true;
+			}
+			return false;
+		};
+		ReflectionUtils.MethodCallback invokeWithEachCustomizerBean = (customizerMethod) -> {
+
+			MethodParameter customizerParameter = new MethodParameter(customizerMethod, 0);
+			ResolvableType customizerType = ResolvableType.forMethodParameter(customizerParameter);
+			ObjectProvider<?> customizerProvider = context.getBeanProvider(customizerType);
+
+			// @formatter:off
+			customizerProvider.orderedStream().forEach((customizer) ->
+				ReflectionUtils.invokeMethod(customizerMethod, http, customizer)
+			);
+			// @formatter:on
+
+		};
+		ReflectionUtils.doWithMethods(HttpSecurity.class, invokeWithEachCustomizerBean, isCustomizerMethod);
+	}
+
 	private Map<Class<?>, Object> createSharedObjects() {
 		Map<Class<?>, Object> sharedObjects = new HashMap<>();
 		sharedObjects.put(ApplicationContext.class, this.context);
 		sharedObjects.put(ContentNegotiationStrategy.class, this.contentNegotiationStrategy);
+		sharedObjects.put(PathPatternRequestMatcher.Builder.class, constructRequestMatcherBuilder(this.context));
 		return sharedObjects;
 	}
 
+	private PathPatternRequestMatcher.Builder constructRequestMatcherBuilder(ApplicationContext context) {
+		PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder = new PathPatternRequestMatcherBuilderFactoryBean();
+		requestMatcherBuilder.setApplicationContext(context);
+		requestMatcherBuilder.setBeanFactory(context.getAutowireCapableBeanFactory());
+		requestMatcherBuilder.setBeanName(requestMatcherBuilder.toString());
+		return ThrowingSupplier.of(requestMatcherBuilder::getObject).get();
+	}
+
 	static class DefaultPasswordEncoderAuthenticationManagerBuilder extends AuthenticationManagerBuilder {
 
 		private PasswordEncoder defaultPasswordEncoder;
@@ -178,17 +265,6 @@ class HttpSecurityConfiguration {
 			this.defaultPasswordEncoder = defaultPasswordEncoder;
 		}
 
-		/**
-		 * @deprecated
-		 */
-		@Deprecated(since = "6.4", forRemoval = true)
-		DefaultPasswordEncoderAuthenticationManagerBuilder(
-				org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor,
-				PasswordEncoder defaultPasswordEncoder) {
-			super(objectPostProcessor);
-			this.defaultPasswordEncoder = defaultPasswordEncoder;
-		}
-
 		@Override
 		public InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemoryAuthentication()
 				throws Exception {

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

@@ -34,6 +34,8 @@ import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.BeanDefinitionRegistry;
 import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.context.annotation.AnnotationBeanNameGenerator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -48,13 +50,11 @@ import org.springframework.security.oauth2.client.DelegatingOAuth2AuthorizedClie
 import org.springframework.security.oauth2.client.JwtBearerOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.PasswordOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.TokenExchangeOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
-import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.TokenExchangeGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -160,7 +160,7 @@ final class OAuth2ClientConfiguration {
 	 * @since 6.2.0
 	 */
 	static final class OAuth2AuthorizedClientManagerRegistrar
-			implements BeanDefinitionRegistryPostProcessor, BeanFactoryAware {
+			implements ApplicationEventPublisherAware, BeanDefinitionRegistryPostProcessor, BeanFactoryAware {
 
 		static final String BEAN_NAME = "authorizedClientManagerRegistrar";
 
@@ -171,7 +171,6 @@ final class OAuth2ClientConfiguration {
 				AuthorizationCodeOAuth2AuthorizedClientProvider.class,
 				RefreshTokenOAuth2AuthorizedClientProvider.class,
 				ClientCredentialsOAuth2AuthorizedClientProvider.class,
-				PasswordOAuth2AuthorizedClientProvider.class,
 				JwtBearerOAuth2AuthorizedClientProvider.class,
 				TokenExchangeOAuth2AuthorizedClientProvider.class
 		);
@@ -179,6 +178,8 @@ final class OAuth2ClientConfiguration {
 
 		private final AnnotationBeanNameGenerator beanNameGenerator = new AnnotationBeanNameGenerator();
 
+		private ApplicationEventPublisher applicationEventPublisher;
+
 		private ListableBeanFactory beanFactory;
 
 		@Override
@@ -237,7 +238,6 @@ final class OAuth2ClientConfiguration {
 				authorizedClientProviders.add(getRefreshTokenAuthorizedClientProvider(authorizedClientProviderBeans));
 				authorizedClientProviders
 					.add(getClientCredentialsAuthorizedClientProvider(authorizedClientProviderBeans));
-				authorizedClientProviders.add(getPasswordAuthorizedClientProvider(authorizedClientProviderBeans));
 
 				OAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = getJwtBearerAuthorizedClientProvider(
 						authorizedClientProviderBeans);
@@ -302,6 +302,10 @@ final class OAuth2ClientConfiguration {
 				authorizedClientProvider.setAccessTokenResponseClient(accessTokenResponseClient);
 			}
 
+			if (this.applicationEventPublisher != null) {
+				authorizedClientProvider.setApplicationEventPublisher(this.applicationEventPublisher);
+			}
+
 			return authorizedClientProvider;
 		}
 
@@ -323,24 +327,6 @@ final class OAuth2ClientConfiguration {
 			return authorizedClientProvider;
 		}
 
-		private OAuth2AuthorizedClientProvider getPasswordAuthorizedClientProvider(
-				Collection<OAuth2AuthorizedClientProvider> authorizedClientProviders) {
-			PasswordOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(
-					authorizedClientProviders, PasswordOAuth2AuthorizedClientProvider.class);
-			if (authorizedClientProvider == null) {
-				authorizedClientProvider = new PasswordOAuth2AuthorizedClientProvider();
-			}
-
-			OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = getBeanOfType(
-					ResolvableType.forClassWithGenerics(OAuth2AccessTokenResponseClient.class,
-							OAuth2PasswordGrantRequest.class));
-			if (accessTokenResponseClient != null) {
-				authorizedClientProvider.setAccessTokenResponseClient(accessTokenResponseClient);
-			}
-
-			return authorizedClientProvider;
-		}
-
 		private OAuth2AuthorizedClientProvider getJwtBearerAuthorizedClientProvider(
 				Collection<OAuth2AuthorizedClientProvider> authorizedClientProviders) {
 			JwtBearerOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(
@@ -423,6 +409,11 @@ final class OAuth2ClientConfiguration {
 			return objectProvider.getIfAvailable();
 		}
 
+		@Override
+		public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+			this.applicationEventPublisher = applicationEventPublisher;
+		}
+
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java

@@ -26,15 +26,7 @@ import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 
-import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.FactoryBean;
-import org.springframework.beans.factory.config.BeanDefinition;
-import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
-import org.springframework.beans.factory.support.BeanDefinitionBuilder;
-import org.springframework.beans.factory.support.BeanDefinitionRegistry;
-import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
-import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 import org.springframework.context.annotation.Bean;
@@ -45,8 +37,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.HandlerMappingIntrospectorRequestTransformer;
-import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
@@ -58,7 +48,6 @@ import org.springframework.web.filter.CompositeFilter;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 import org.springframework.web.servlet.support.RequestDataValueProcessor;
 
 /**
@@ -76,8 +65,6 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
  */
 class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContextAware {
 
-	private static final String HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector";
-
 	private BeanResolver beanResolver;
 
 	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
@@ -119,95 +106,15 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex
 		}
 	}
 
-	/**
-	 * Used to ensure Spring MVC request matching is cached.
-	 *
-	 * Creates a {@link BeanDefinitionRegistryPostProcessor} that detects if a bean named
-	 * HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME is defined. If so, it moves the
-	 * AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME to another bean name
-	 * and then adds a {@link CompositeFilter} that contains
-	 * {@link HandlerMappingIntrospector#createCacheFilter()} and the original
-	 * FilterChainProxy under the original Bean name.
-	 * @return
-	 */
-	@Bean
-	static BeanDefinitionRegistryPostProcessor springSecurityHandlerMappingIntrospectorBeanDefinitionRegistryPostProcessor() {
-		return new BeanDefinitionRegistryPostProcessor() {
-			@Override
-			public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
-			}
-
-			@Override
-			public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {
-				if (!registry.containsBeanDefinition(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
-					return;
-				}
-
-				String hmiRequestTransformerBeanName = HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME + "RequestTransformer";
-				if (!registry.containsBeanDefinition(hmiRequestTransformerBeanName)) {
-					BeanDefinition hmiRequestTransformer = BeanDefinitionBuilder
-						.rootBeanDefinition(HandlerMappingIntrospectorRequestTransformer.class)
-						.addConstructorArgReference(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)
-						.getBeanDefinition();
-					registry.registerBeanDefinition(hmiRequestTransformerBeanName, hmiRequestTransformer);
-				}
-
-				BeanDefinition filterChainProxy = registry
-					.getBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
-
-				if (!filterChainProxy.getResolvableType().isInstance(CompositeFilterChainProxy.class)) {
-					BeanDefinitionBuilder hmiCacheFilterBldr = BeanDefinitionBuilder
-						.rootBeanDefinition(HandlerMappingIntrospectorCacheFilterFactoryBean.class)
-						.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
-
-					ManagedList<BeanMetadataElement> filters = new ManagedList<>();
-					filters.add(hmiCacheFilterBldr.getBeanDefinition());
-					filters.add(filterChainProxy);
-					BeanDefinitionBuilder compositeSpringSecurityFilterChainBldr = BeanDefinitionBuilder
-						.rootBeanDefinition(CompositeFilterChainProxy.class)
-						.addConstructorArgValue(filters);
-
-					registry.removeBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
-					registry.registerBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME,
-							compositeSpringSecurityFilterChainBldr.getBeanDefinition());
-				}
-			}
-		};
-	}
-
-	/**
-	 * {@link FactoryBean} to defer creation of
-	 * {@link HandlerMappingIntrospector#createCacheFilter()}
-	 */
-	static class HandlerMappingIntrospectorCacheFilterFactoryBean
-			implements ApplicationContextAware, FactoryBean<Filter> {
-
-		private ApplicationContext applicationContext;
-
-		@Override
-		public void setApplicationContext(ApplicationContext applicationContext) {
-			this.applicationContext = applicationContext;
-		}
-
-		@Override
-		public Filter getObject() throws Exception {
-			HandlerMappingIntrospector handlerMappingIntrospector = this.applicationContext
-				.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector.class);
-			return handlerMappingIntrospector.createCacheFilter();
-		}
-
-		@Override
-		public Class<?> getObjectType() {
-			return Filter.class;
-		}
-
-	}
-
 	/**
 	 * Extends {@link FilterChainProxy} to provide as much passivity as possible but
 	 * delegates to {@link CompositeFilter} for
 	 * {@link #doFilter(ServletRequest, ServletResponse, FilterChain)}.
+	 *
+	 * @deprecated see {@link WebSecurityConfiguration} for
+	 * {@link org.springframework.web.util.pattern.PathPattern} replacement
 	 */
+	@Deprecated
 	static class CompositeFilterChainProxy extends FilterChainProxy {
 
 		/**

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -16,16 +16,28 @@
 
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
 import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
 
-import org.springframework.beans.factory.BeanClassLoaderAware;
+import org.springframework.beans.BeanMetadataElement;
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
+import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.support.BeanDefinitionRegistry;
+import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
+import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.DependsOn;
@@ -45,11 +57,17 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor;
 import org.springframework.security.context.DelegatingApplicationListener;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
+import org.springframework.security.web.debug.DebugFilter;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.RequestRejectedHandler;
+import org.springframework.web.filter.CompositeFilter;
+import org.springframework.web.filter.ServletRequestPathFilter;
 
 /**
  * Uses a {@link WebSecurity} to create the {@link FilterChainProxy} that performs the web
@@ -60,28 +78,22 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn
  *
  * @author Rob Winch
  * @author Keesun Baik
+ * @author Yanming Zhou
  * @since 3.2
  * @see EnableWebSecurity
  * @see WebSecurity
  */
 @Configuration(proxyBeanMethods = false)
-public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
+public class WebSecurityConfiguration implements ImportAware {
 
 	private WebSecurity webSecurity;
 
 	private Boolean debugEnabled;
 
-	private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers;
-
 	private List<SecurityFilterChain> securityFilterChains = Collections.emptyList();
 
 	private List<WebSecurityCustomizer> webSecurityCustomizers = Collections.emptyList();
 
-	private ClassLoader beanClassLoader;
-
-	@Autowired(required = false)
-	private HttpSecurity httpSecurity;
-
 	@Bean
 	public static DelegatingApplicationListener delegatingApplicationListener() {
 		return new DelegatingApplicationListener();
@@ -99,14 +111,15 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 	 * @throws Exception
 	 */
 	@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
-	public Filter springSecurityFilterChain() throws Exception {
+	public Filter springSecurityFilterChain(ObjectProvider<HttpSecurity> provider) throws Exception {
 		boolean hasFilterChain = !this.securityFilterChains.isEmpty();
 		if (!hasFilterChain) {
 			this.webSecurity.addSecurityFilterChainBuilder(() -> {
-				this.httpSecurity.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated());
-				this.httpSecurity.formLogin(Customizer.withDefaults());
-				this.httpSecurity.httpBasic(Customizer.withDefaults());
-				return this.httpSecurity.build();
+				HttpSecurity httpSecurity = provider.getObject();
+				httpSecurity.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated());
+				httpSecurity.formLogin(Customizer.withDefaults());
+				httpSecurity.httpBasic(Customizer.withDefaults());
+				return httpSecurity.build();
 			});
 		}
 		for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
@@ -164,7 +177,6 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 		for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
 			this.webSecurity.apply(webSecurityConfigurer);
 		}
-		this.webSecurityConfigurers = webSecurityConfigurers;
 	}
 
 	@Autowired(required = false)
@@ -178,7 +190,7 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 	}
 
 	@Bean
-	public static BeanFactoryPostProcessor conversionServicePostProcessor() {
+	public static RsaKeyConversionServicePostProcessor conversionServicePostProcessor() {
 		return new RsaKeyConversionServicePostProcessor();
 	}
 
@@ -193,9 +205,48 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 		}
 	}
 
-	@Override
-	public void setBeanClassLoader(ClassLoader classLoader) {
-		this.beanClassLoader = classLoader;
+	/**
+	 * Used to ensure Spring MVC request matching is cached.
+	 *
+	 * Creates a {@link BeanDefinitionRegistryPostProcessor} that moves the
+	 * AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME to another bean name
+	 * and then adds a {@link CompositeFilter} that contains
+	 * {@link ServletRequestPathFilter} and the original FilterChainProxy under the
+	 * original Bean name.
+	 * @return
+	 */
+	@Bean
+	static BeanDefinitionRegistryPostProcessor springSecurityPathPatternParserBeanDefinitionRegistryPostProcessor() {
+		return new BeanDefinitionRegistryPostProcessor() {
+			@Override
+			public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
+			}
+
+			@Override
+			public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {
+				BeanDefinition filterChainProxy = registry
+					.getBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
+
+				if (filterChainProxy.getResolvableType().isInstance(CompositeFilterChainProxy.class)) {
+					return;
+				}
+
+				BeanDefinitionBuilder pppCacheFilterBldr = BeanDefinitionBuilder
+					.rootBeanDefinition(ServletRequestPathFilter.class)
+					.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
+
+				ManagedList<BeanMetadataElement> filters = new ManagedList<>();
+				filters.add(pppCacheFilterBldr.getBeanDefinition());
+				filters.add(filterChainProxy);
+				BeanDefinitionBuilder compositeSpringSecurityFilterChainBldr = BeanDefinitionBuilder
+					.rootBeanDefinition(CompositeFilterChainProxy.class)
+					.addConstructorArgValue(filters);
+
+				registry.removeBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
+				registry.registerBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME,
+						compositeSpringSecurityFilterChainBldr.getBeanDefinition());
+			}
+		};
 	}
 
 	/**
@@ -231,4 +282,121 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
 
 	}
 
+	/**
+	 * Extends {@link FilterChainProxy} to provide as much passivity as possible but
+	 * delegates to {@link CompositeFilter} for
+	 * {@link #doFilter(ServletRequest, ServletResponse, FilterChain)}.
+	 */
+	static class CompositeFilterChainProxy extends FilterChainProxy {
+
+		/**
+		 * Used for {@link #doFilter(ServletRequest, ServletResponse, FilterChain)}
+		 */
+		private final Filter doFilterDelegate;
+
+		private final FilterChainProxy springSecurityFilterChain;
+
+		/**
+		 * Creates a new instance
+		 * @param filters the Filters to delegate to. One of which must be
+		 * FilterChainProxy.
+		 */
+		CompositeFilterChainProxy(List<? extends Filter> filters) {
+			this.doFilterDelegate = createDoFilterDelegate(filters);
+			this.springSecurityFilterChain = findFilterChainProxy(filters);
+		}
+
+		@Override
+		public void afterPropertiesSet() {
+			this.springSecurityFilterChain.afterPropertiesSet();
+		}
+
+		@Override
+		public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+				throws IOException, ServletException {
+			this.doFilterDelegate.doFilter(request, response, chain);
+		}
+
+		@Override
+		public List<Filter> getFilters(String url) {
+			return this.springSecurityFilterChain.getFilters(url);
+		}
+
+		@Override
+		public List<SecurityFilterChain> getFilterChains() {
+			return this.springSecurityFilterChain.getFilterChains();
+		}
+
+		@Override
+		public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+			this.springSecurityFilterChain.setSecurityContextHolderStrategy(securityContextHolderStrategy);
+		}
+
+		@Override
+		public void setFilterChainValidator(FilterChainValidator filterChainValidator) {
+			this.springSecurityFilterChain.setFilterChainValidator(filterChainValidator);
+		}
+
+		@Override
+		public void setFilterChainDecorator(FilterChainDecorator filterChainDecorator) {
+			this.springSecurityFilterChain.setFilterChainDecorator(filterChainDecorator);
+		}
+
+		@Override
+		public void setFirewall(HttpFirewall firewall) {
+			this.springSecurityFilterChain.setFirewall(firewall);
+		}
+
+		@Override
+		public void setRequestRejectedHandler(RequestRejectedHandler requestRejectedHandler) {
+			this.springSecurityFilterChain.setRequestRejectedHandler(requestRejectedHandler);
+		}
+
+		/**
+		 * Used through reflection by Spring Security's Test support to lookup the
+		 * FilterChainProxy Filters for a specific HttpServletRequest.
+		 * @param request
+		 * @return
+		 */
+		private List<? extends Filter> getFilters(HttpServletRequest request) {
+			List<SecurityFilterChain> filterChains = this.springSecurityFilterChain.getFilterChains();
+			for (SecurityFilterChain chain : filterChains) {
+				if (chain.matches(request)) {
+					return chain.getFilters();
+				}
+			}
+			return null;
+		}
+
+		/**
+		 * Creates the Filter to delegate to for doFilter
+		 * @param filters the Filters to delegate to.
+		 * @return the Filter for doFilter
+		 */
+		private static Filter createDoFilterDelegate(List<? extends Filter> filters) {
+			CompositeFilter delegate = new CompositeFilter();
+			delegate.setFilters(filters);
+			return delegate;
+		}
+
+		/**
+		 * Find the FilterChainProxy in a List of Filter
+		 * @param filters
+		 * @return non-null FilterChainProxy
+		 * @throws IllegalStateException if the FilterChainProxy cannot be found
+		 */
+		private static FilterChainProxy findFilterChainProxy(List<? extends Filter> filters) {
+			for (Filter filter : filters) {
+				if (filter instanceof FilterChainProxy fcp) {
+					return fcp;
+				}
+				if (filter instanceof DebugFilter debugFilter) {
+					return debugFilter.getFilterChainProxy();
+				}
+			}
+			throw new IllegalStateException("Couldn't find FilterChainProxy in " + filters);
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java

@@ -21,6 +21,7 @@ import java.util.Collections;
 
 import jakarta.servlet.http.HttpServletRequest;
 
+import org.springframework.context.ApplicationContext;
 import org.springframework.http.MediaType;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -28,6 +29,7 @@ import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.PortMapper;
+import org.springframework.security.web.PortResolver;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@@ -272,6 +274,10 @@ public abstract class AbstractAuthenticationFilterConfigurer<B extends HttpSecur
 		if (portMapper != null) {
 			this.authenticationEntryPoint.setPortMapper(portMapper);
 		}
+		PortResolver portResolver = getBeanOrNull(http, PortResolver.class);
+		if (portResolver != null) {
+			this.authenticationEntryPoint.setPortResolver(portResolver);
+		}
 		RequestCache requestCache = http.getSharedObject(RequestCache.class);
 		if (requestCache != null) {
 			this.defaultSuccessHandler.setRequestCache(requestCache);
@@ -412,6 +418,14 @@ public abstract class AbstractAuthenticationFilterConfigurer<B extends HttpSecur
 		this.authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint(loginPage);
 	}
 
+	private <C> C getBeanOrNull(B http, Class<C> clazz) {
+		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
+		if (context == null) {
+			return null;
+		}
+		return context.getBeanProvider(clazz).getIfUnique();
+	}
+
 	@SuppressWarnings("unchecked")
 	private T getSelf() {
 		return (T) this;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java

@@ -22,7 +22,9 @@ import java.util.LinkedHashMap;
 import java.util.List;
 
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
@@ -34,9 +36,14 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  * @since 3.2
  * @see ChannelSecurityConfigurer
- * @see UrlAuthorizationConfigurer
- * @see ExpressionUrlAuthorizationConfigurer
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public abstract class AbstractConfigAttributeRequestMatcherRegistry<C> extends AbstractRequestMatcherRegistry<C> {
 
 	private List<UrlMapping> urlMappings = new ArrayList<>();

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java

@@ -25,12 +25,14 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 
 /**
  * Adds a convenient base class for {@link SecurityConfigurer} instances that operate on
  * {@link HttpSecurity}.
  *
  * @author Rob Winch
+ * @author Ding Hao
  */
 public abstract class AbstractHttpConfigurer<T extends AbstractHttpConfigurer<T, B>, B extends HttpSecurityBuilder<B>>
 		extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, B> {
@@ -54,30 +56,18 @@ public abstract class AbstractHttpConfigurer<T extends AbstractHttpConfigurer<T,
 		return (T) this;
 	}
 
-	/**
-	 * @deprecated
-	 */
-	@Deprecated(since = "6.4", forRemoval = true)
-	@SuppressWarnings("unchecked")
-	public T withObjectPostProcessor(
-			org.springframework.security.config.annotation.ObjectPostProcessor<?> objectPostProcessor) {
-		addObjectPostProcessor(objectPostProcessor);
-		return (T) this;
-	}
-
 	protected SecurityContextHolderStrategy getSecurityContextHolderStrategy() {
 		if (this.securityContextHolderStrategy != null) {
 			return this.securityContextHolderStrategy;
 		}
 		ApplicationContext context = getBuilder().getSharedObject(ApplicationContext.class);
-		String[] names = context.getBeanNamesForType(SecurityContextHolderStrategy.class);
-		if (names.length == 1) {
-			this.securityContextHolderStrategy = context.getBean(SecurityContextHolderStrategy.class);
-		}
-		else {
-			this.securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
-		}
+		this.securityContextHolderStrategy = context.getBeanProvider(SecurityContextHolderStrategy.class)
+			.getIfUnique(SecurityContextHolder::getContextHolderStrategy);
 		return this.securityContextHolderStrategy;
 	}
 
+	protected PathPatternRequestMatcher.Builder getRequestMatcherBuilder() {
+		return getBuilder().getSharedObject(PathPatternRequestMatcher.Builder.class);
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java

@@ -1,195 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.web.configurers;
-
-import java.util.List;
-
-import org.springframework.security.access.AccessDecisionManager;
-import org.springframework.security.access.AccessDecisionVoter;
-import org.springframework.security.access.vote.AffirmativeBased;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.config.annotation.SecurityConfigurer;
-import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
-
-/**
- * A base class for configuring the {@link FilterSecurityInterceptor}.
- *
- * <h2>Security Filters</h2>
- *
- * The following Filters are populated
- *
- * <ul>
- * <li>{@link FilterSecurityInterceptor}</li>
- * </ul>
- *
- * <h2>Shared Objects Created</h2>
- *
- * The following shared objects are populated to allow other {@link SecurityConfigurer}'s
- * to customize:
- * <ul>
- * <li>{@link FilterSecurityInterceptor}</li>
- * </ul>
- *
- * <h2>Shared Objects Used</h2>
- *
- * The following shared objects are used:
- *
- * <ul>
- * <li>{@link AuthenticationManager}</li>
- * </ul>
- *
- * @param <C> the AbstractInterceptUrlConfigurer
- * @param <H> the type of {@link HttpSecurityBuilder} that is being configured
- * @author Rob Winch
- * @since 3.2
- * @see ExpressionUrlAuthorizationConfigurer
- * @see UrlAuthorizationConfigurer
- * @deprecated Use {@link AuthorizeHttpRequestsConfigurer} instead
- */
-@Deprecated
-public abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConfigurer<C, H>, H extends HttpSecurityBuilder<H>>
-		extends AbstractHttpConfigurer<C, H> {
-
-	private Boolean filterSecurityInterceptorOncePerRequest;
-
-	private AccessDecisionManager accessDecisionManager;
-
-	AbstractInterceptUrlConfigurer() {
-	}
-
-	@Override
-	public void configure(H http) throws Exception {
-		FilterInvocationSecurityMetadataSource metadataSource = createMetadataSource(http);
-		if (metadataSource == null) {
-			return;
-		}
-		FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(http, metadataSource,
-				http.getSharedObject(AuthenticationManager.class));
-		if (this.filterSecurityInterceptorOncePerRequest != null) {
-			securityInterceptor.setObserveOncePerRequest(this.filterSecurityInterceptorOncePerRequest);
-		}
-		securityInterceptor = postProcess(securityInterceptor);
-		http.addFilter(securityInterceptor);
-		http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor);
-	}
-
-	/**
-	 * Subclasses should implement this method to provide a
-	 * {@link FilterInvocationSecurityMetadataSource} for the
-	 * {@link FilterSecurityInterceptor}.
-	 * @param http the builder to use
-	 * @return the {@link FilterInvocationSecurityMetadataSource} to set on the
-	 * {@link FilterSecurityInterceptor}. Cannot be null.
-	 */
-	abstract FilterInvocationSecurityMetadataSource createMetadataSource(H http);
-
-	/**
-	 * Subclasses should implement this method to provide the {@link AccessDecisionVoter}
-	 * instances used to create the default {@link AccessDecisionManager}
-	 * @param http the builder to use
-	 * @return the {@link AccessDecisionVoter} instances used to create the default
-	 * {@link AccessDecisionManager}
-	 */
-	abstract List<AccessDecisionVoter<?>> getDecisionVoters(H http);
-
-	/**
-	 * Creates the default {@code AccessDecisionManager}
-	 * @return the default {@code AccessDecisionManager}
-	 */
-	private AccessDecisionManager createDefaultAccessDecisionManager(H http) {
-		AffirmativeBased result = new AffirmativeBased(getDecisionVoters(http));
-		return postProcess(result);
-	}
-
-	/**
-	 * If currently null, creates a default {@link AccessDecisionManager} using
-	 * {@link #createDefaultAccessDecisionManager(HttpSecurityBuilder)}. Otherwise returns
-	 * the {@link AccessDecisionManager}.
-	 * @param http the builder to use
-	 * @return the {@link AccessDecisionManager} to use
-	 */
-	private AccessDecisionManager getAccessDecisionManager(H http) {
-		if (this.accessDecisionManager == null) {
-			this.accessDecisionManager = createDefaultAccessDecisionManager(http);
-		}
-		return this.accessDecisionManager;
-	}
-
-	/**
-	 * Creates the {@link FilterSecurityInterceptor}
-	 * @param http the builder to use
-	 * @param metadataSource the {@link FilterInvocationSecurityMetadataSource} to use
-	 * @param authenticationManager the {@link AuthenticationManager} to use
-	 * @return the {@link FilterSecurityInterceptor}
-	 * @throws Exception
-	 */
-	private FilterSecurityInterceptor createFilterSecurityInterceptor(H http,
-			FilterInvocationSecurityMetadataSource metadataSource, AuthenticationManager authenticationManager)
-			throws Exception {
-		FilterSecurityInterceptor securityInterceptor = new FilterSecurityInterceptor();
-		securityInterceptor.setSecurityMetadataSource(metadataSource);
-		securityInterceptor.setAccessDecisionManager(getAccessDecisionManager(http));
-		securityInterceptor.setAuthenticationManager(authenticationManager);
-		securityInterceptor.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
-		securityInterceptor.afterPropertiesSet();
-		return securityInterceptor;
-	}
-
-	public abstract class AbstractInterceptUrlRegistry<R extends AbstractInterceptUrlRegistry<R, T>, T>
-			extends AbstractConfigAttributeRequestMatcherRegistry<T> {
-
-		AbstractInterceptUrlRegistry() {
-		}
-
-		/**
-		 * Allows setting the {@link AccessDecisionManager}. If none is provided, a
-		 * default {@link AccessDecisionManager} is created.
-		 * @param accessDecisionManager the {@link AccessDecisionManager} to use
-		 * @return the {@link AbstractInterceptUrlConfigurer} for further customization
-		 */
-		public R accessDecisionManager(AccessDecisionManager accessDecisionManager) {
-			AbstractInterceptUrlConfigurer.this.accessDecisionManager = accessDecisionManager;
-			return getSelf();
-		}
-
-		/**
-		 * Allows setting if the {@link FilterSecurityInterceptor} should be only applied
-		 * once per request (i.e. if the filter intercepts on a forward, should it be
-		 * applied again).
-		 * @param filterSecurityInterceptorOncePerRequest if the
-		 * {@link FilterSecurityInterceptor} should be only applied once per request
-		 * @return the {@link AbstractInterceptUrlConfigurer} for further customization
-		 */
-		public R filterSecurityInterceptorOncePerRequest(boolean filterSecurityInterceptorOncePerRequest) {
-			AbstractInterceptUrlConfigurer.this.filterSecurityInterceptorOncePerRequest = filterSecurityInterceptorOncePerRequest;
-			return getSelf();
-		}
-
-		/**
-		 * Returns a reference to the current object with a single suppression of the type
-		 * @return a reference to the current object
-		 */
-		@SuppressWarnings("unchecked")
-		private R getSelf() {
-			return (R) this;
-		}
-
-	}
-
-}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java

@@ -21,6 +21,7 @@ import java.util.UUID;
 
 import org.springframework.security.authentication.AnonymousAuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -57,7 +58,7 @@ public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#anonymous()
+	 * @see HttpSecurity#anonymous(Customizer)
 	 */
 	public AnonymousConfigurer() {
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -33,6 +33,7 @@ import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagers;
+import org.springframework.security.authorization.SingleResultAuthorizationManager;
 import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
@@ -57,9 +58,6 @@ import org.springframework.util.function.SingletonSupplier;
 public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<AuthorizeHttpRequestsConfigurer<H>, H> {
 
-	static final AuthorizationManager<RequestAuthorizationContext> permitAllAuthorizationManager = (a,
-			o) -> new AuthorizationDecision(true);
-
 	private final AuthorizationManagerRequestMatcherRegistry registry;
 
 	private final AuthorizationEventPublisher publisher;
@@ -112,7 +110,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		AuthorizationManager<HttpServletRequest> authorizationManager = this.registry.createAuthorizationManager();
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
 		authorizationFilter.setAuthorizationEventPublisher(this.publisher);
-		authorizationFilter.setShouldFilterAllDispatcherTypes(this.registry.shouldFilterAllDispatcherTypes);
 		authorizationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		http.addFilter(postProcess(authorizationFilter));
 	}
@@ -146,8 +143,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 
 		private int mappingCount;
 
-		private boolean shouldFilterAllDispatcherTypes = true;
-
 		private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
 			setApplicationContext(context);
 		}
@@ -193,57 +188,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 			return this;
 		}
 
-		/**
-		 * @deprecated
-		 */
-		@Deprecated(since = "6.4", forRemoval = true)
-		public AuthorizationManagerRequestMatcherRegistry withObjectPostProcessor(
-				org.springframework.security.config.annotation.ObjectPostProcessor<?> objectPostProcessor) {
-			addObjectPostProcessor(objectPostProcessor);
-			return this;
-		}
-
-		/**
-		 * Sets whether all dispatcher types should be filtered.
-		 * @param shouldFilter should filter all dispatcher types. Default is {@code true}
-		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
-		 * customizations
-		 * @since 5.7
-		 * @deprecated Permit access to the {@link jakarta.servlet.DispatcherType}
-		 * instead. <pre>
-		 * &#064;Configuration
-		 * &#064;EnableWebSecurity
-		 * public class SecurityConfig {
-		 *
-		 * 	&#064;Bean
-		 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		 * 		http
-		 * 		 	.authorizeHttpRequests((authorize) -&gt; authorize
-		 * 				.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-		 * 			 	// ...
-		 * 		 	);
-		 * 		return http.build();
-		 * 	}
-		 * }
-		 * </pre>
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public AuthorizationManagerRequestMatcherRegistry shouldFilterAllDispatcherTypes(boolean shouldFilter) {
-			this.shouldFilterAllDispatcherTypes = shouldFilter;
-			return this;
-		}
-
-		/**
-		 * Return the {@link HttpSecurityBuilder} when done using the
-		 * {@link AuthorizeHttpRequestsConfigurer}. This is useful for method chaining.
-		 * @return the {@link HttpSecurityBuilder} for further customizations
-		 * @deprecated For removal in 7.0. Use the lambda based configuration instead.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public H and() {
-			return AuthorizeHttpRequestsConfigurer.this.and();
-		}
-
 	}
 
 	/**
@@ -287,7 +231,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		 * customizations
 		 */
 		public AuthorizationManagerRequestMatcherRegistry permitAll() {
-			return access(permitAllAuthorizationManager);
+			return access(SingleResultAuthorizationManager.permitAll());
 		}
 
 		/**
@@ -296,7 +240,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		 * customizations
 		 */
 		public AuthorizationManagerRequestMatcherRegistry denyAll() {
-			return access((a, o) -> new AuthorizationDecision(false));
+			return access(SingleResultAuthorizationManager.denyAll());
 		}
 
 		/**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java

@@ -24,10 +24,7 @@ import java.util.List;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
-import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
-import org.springframework.security.config.annotation.SecurityBuilder;
-import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.DefaultRedirectStrategy;
@@ -78,7 +75,9 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
  * @author Rob Winch
  * @author Onur Kagan Ozcan
  * @since 3.2
+ * @deprecated please use {@link HttpsRedirectConfigurer} instead
  */
+@Deprecated
 public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<ChannelSecurityConfigurer<H>, H> {
 
@@ -94,7 +93,7 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#requiresChannel()
+	 * @see HttpSecurity#requiresChannel(Customizer)
 	 */
 	public ChannelSecurityConfigurer(ApplicationContext context) {
 		this.REGISTRY = new ChannelRequestMatcherRegistry(context);
@@ -147,6 +146,10 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 		return this.REGISTRY;
 	}
 
+	/**
+	 * @deprecated no replacement planned
+	 */
+	@Deprecated
 	public final class ChannelRequestMatcherRegistry
 			extends AbstractConfigAttributeRequestMatcherRegistry<RequiresChannelUrl> {
 
@@ -169,16 +172,6 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * @deprecated
-		 */
-		@Deprecated(since = "6.4", forRemoval = true)
-		public ChannelRequestMatcherRegistry withObjectPostProcessor(
-				org.springframework.security.config.annotation.ObjectPostProcessor<?> objectPostProcessor) {
-			addObjectPostProcessor(objectPostProcessor);
-			return this;
-		}
-
 		/**
 		 * Sets the {@link ChannelProcessor} instances to use in
 		 * {@link ChannelDecisionManagerImpl}
@@ -201,20 +194,12 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Return the {@link SecurityBuilder} when done using the
-		 * {@link SecurityConfigurer}. This is useful for method chaining.
-		 * @return the type of {@link HttpSecurityBuilder} that is being configured
-		 * @deprecated For removal in 7.0. Use
-		 * {@link HttpSecurity#requiresChannel(Customizer)} instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public H and() {
-			return ChannelSecurityConfigurer.this.and();
-		}
-
 	}
 
+	/**
+	 * @deprecated no replacement planned
+	 */
+	@Deprecated
 	public class RequiresChannelUrl {
 
 		protected List<? extends RequestMatcher> requestMatchers;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java

@@ -18,21 +18,18 @@ package org.springframework.security.config.annotation.web.configurers;
 
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.util.Assert;
-import org.springframework.util.ClassUtils;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
-import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 /**
  * Adds {@link CorsFilter} to the Spring Security filter chain. If a bean by the name of
  * corsFilter is provided, that {@link CorsFilter} is used. Else if
  * corsConfigurationSource is defined, then that {@link CorsConfiguration} is used.
- * Otherwise, if Spring MVC is on the classpath a {@link HandlerMappingIntrospector} is
- * used.
  *
  * @param <H> the builder to return.
  * @author Rob Winch
@@ -44,20 +41,12 @@ public class CorsConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHt
 
 	private static final String CORS_FILTER_BEAN_NAME = "corsFilter";
 
-	private static final String HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector";
-
-	private static final boolean mvcPresent;
-
 	private CorsConfigurationSource configurationSource;
 
-	static {
-		mvcPresent = ClassUtils.isPresent(HANDLER_MAPPING_INTROSPECTOR, CorsConfigurer.class.getClassLoader());
-	}
-
 	/**
 	 * Creates a new instance
 	 *
-	 * @see HttpSecurity#cors()
+	 * @see HttpSecurity#cors(Customizer)
 	 */
 	public CorsConfigurer() {
 	}
@@ -90,10 +79,7 @@ public class CorsConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHt
 					CorsConfigurationSource.class);
 			return new CorsFilter(configurationSource);
 		}
-		if (mvcPresent) {
-			return MvcCorsFilter.getMvcCorsFilter(context);
-		}
-		return null;
+		return MvcCorsFilter.getMvcCorsFilter(context);
 	}
 
 	static class MvcCorsFilter {
@@ -107,15 +93,14 @@ public class CorsConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHt
 		 * @return
 		 */
 		private static CorsFilter getMvcCorsFilter(ApplicationContext context) {
-			if (!context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
-				throw new NoSuchBeanDefinitionException(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, "A Bean named "
-						+ HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME + " of type "
-						+ HandlerMappingIntrospector.class.getName()
-						+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
+			if (context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
+				CorsConfigurationSource corsConfigurationSource = context
+					.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, CorsConfigurationSource.class);
+				return new CorsFilter(corsConfigurationSource);
 			}
-			HandlerMappingIntrospector mappingIntrospector = context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
-					HandlerMappingIntrospector.class);
-			return new CorsFilter(mappingIntrospector);
+			throw new NoSuchBeanDefinitionException(CorsConfigurationSource.class,
+					"Failed to find a bean that implements `CorsConfigurationSource`. Please ensure that you are using "
+							+ "`@EnableWebMvc`, are publishing a `WebMvcConfigurer`, or are publishing a `CorsConfigurationSource` bean.");
 		}
 
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java

@@ -19,12 +19,15 @@ package org.springframework.security.config.annotation.web.configurers;
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.function.Supplier;
 
 import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -34,13 +37,17 @@ import org.springframework.security.web.access.CompositeAccessDeniedHandler;
 import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
 import org.springframework.security.web.access.ObservationMarkingAccessDeniedHandler;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfLogoutHandler;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
 import org.springframework.security.web.session.InvalidSessionStrategy;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
@@ -48,6 +55,7 @@ import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * Adds
@@ -96,7 +104,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#csrf()
+	 * @see HttpSecurity#csrf(Customizer)
 	 */
 	public CsrfConfigurer(ApplicationContext context) {
 		this.context = context;
@@ -156,16 +164,16 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 *
 	 * <pre>
 	 * http
-	 *     .csrf()
-	 *         .ignoringRequestMatchers((request) -&gt; "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
-	 *         .and()
+	 *     .csrf((csrf) -&gt; csrf
+	 *         .ignoringRequestMatchers((request) -&gt; "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))))
 	 *     ...
 	 * </pre>
 	 *
 	 * @since 5.1
 	 */
 	public CsrfConfigurer<H> ignoringRequestMatchers(RequestMatcher... requestMatchers) {
-		return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers).and();
+		new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers);
+		return this;
 	}
 
 	/**
@@ -184,9 +192,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 *
 	 * <pre>
 	 * http
-	 *     .csrf()
-	 *         .ignoringRequestMatchers("/sockjs/**")
-	 *         .and()
+	 *     .csrf((csrf) -&gt; csrf
+	 *         .ignoringRequestMatchers("/sockjs/**"))
 	 *     ...
 	 * </pre>
 	 *
@@ -194,7 +201,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @see AbstractRequestMatcherRegistry#requestMatchers(String...)
 	 */
 	public CsrfConfigurer<H> ignoringRequestMatchers(String... patterns) {
-		return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns).and();
+		new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns);
+		return this;
 	}
 
 	/**
@@ -214,6 +222,21 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}
 
+	/**
+	 * <p>
+	 * Sensible CSRF defaults when used in combination with a single page application.
+	 * Creates a cookie-based token repository and a custom request handler to resolve the
+	 * actual token value instead of the encoded token.
+	 * </p>
+	 * @return the {@link CsrfConfigurer} for further customizations
+	 * @since 7.0
+	 */
+	public CsrfConfigurer<H> spa() {
+		this.csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
+		this.requestHandler = new SpaCsrfTokenRequestHandler();
+		return this;
+	}
+
 	@SuppressWarnings("unchecked")
 	@Override
 	public void configure(H http) {
@@ -363,10 +386,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 			setApplicationContext(context);
 		}
 
-		CsrfConfigurer<H> and() {
-			return CsrfConfigurer.this;
-		}
-
 		@Override
 		protected IgnoreCsrfProtectionRegistry chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			CsrfConfigurer.this.ignoredCsrfProtectionMatchers.addAll(requestMatchers);
@@ -375,4 +394,27 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
+	private static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
+
+		private final CsrfTokenRequestAttributeHandler plain = new CsrfTokenRequestAttributeHandler();
+
+		private final CsrfTokenRequestAttributeHandler xor = new XorCsrfTokenRequestAttributeHandler();
+
+		SpaCsrfTokenRequestHandler() {
+			this.xor.setCsrfRequestAttributeName(null);
+		}
+
+		@Override
+		public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
+			this.xor.handle(request, response, csrfToken);
+		}
+
+		@Override
+		public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
+			String headerValue = request.getHeader(csrfToken.getHeaderName());
+			return (StringUtils.hasText(headerValue) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
+		}
+
+	}
+
 }