Merge branch '6.5.x'

Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.template.yml

@@ -1,40 +0,0 @@
-version: 2
-
-registries:
-  spring-milestones:
-    type: maven-repository
-    url: https://repo.spring.io/milestone
-
-updates:
-
-  - package-ecosystem: "gradle"
-    target-branch: "main"
-    directory: "/"
-    schedule:
-      interval: "daily"
-      time: "03:00"
-      timezone: "Etc/UTC"
-    labels: [ "type: dependency-upgrade" ]
-    registries:
-      - "spring-milestones"
-    ignore:
-      - dependency-name: "com.nimbusds:nimbus-jose-jwt" # nimbus-jose-jwt gets updated when oauth2-oidc-sdk is updated to ensure consistency
-      - dependency-name: "org.python:jython" # jython updates break integration tests
-      - dependency-name: "org.apache.directory.server:*" # ApacheDS version > 1.5.5 contains break changes
-      - dependency-name: "org.junit:junit-bom"
-        update-types: [ "version-update:semver-major" ]
-      - dependency-name: "org.mockito:mockito-bom"
-        update-types: [ "version-update:semver-major" ]
-      - dependency-name: "*"
-        update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-
-  #    GitHub Actions
-
-  - package-ecosystem: github-actions
-    target-branch: "main"
-    directory: "/"
-    schedule:
-      interval: weekly
-    ignore:
-      - dependency-name: "spring-io/*"
-      - dependency-name: "spring-security-release-tools/*"

.github/dependabot.yml

@@ -4,6 +4,32 @@ registries:
     type: maven-repository
     url: https://repo.spring.io/milestone
 updates:
+  - package-ecosystem: gradle
+    target-branch: 6.5.x
+    directory: /
+    schedule:
+      interval: daily
+      time: '03:00'
+      timezone: Etc/UTC
+    labels:
+      - 'type: dependency-upgrade'
+    registries:
+      - spring-milestones
+    ignore:
+      - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: org.python:jython
+      - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
+      - dependency-name: org.junit:junit-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: org.mockito:mockito-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
   - package-ecosystem: gradle
     target-branch: 6.4.x
     directory: /
@@ -85,17 +111,8 @@ updates:
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
+          - version-update:semver-minor
 
-  - package-ecosystem: github-actions
-    target-branch: 6.4.x
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-    ignore:
-      - dependency-name: sjohnr/*
   - package-ecosystem: github-actions
     target-branch: 6.3.x
     directory: /
@@ -106,14 +123,6 @@ updates:
       - 'in: build'
     ignore:
       - dependency-name: sjohnr/*
-  - package-ecosystem: github-actions
-    target-branch: main
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
   - package-ecosystem: github-actions
     target-branch: docs-build
     directory: /

.github/workflows/codeql.yml

@@ -0,0 +1,17 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
+    - cron: '0 5 * * *'
+permissions: read-all
+jobs:
+  codeql-analysis-call:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@1

.github/workflows/continuous-integration-workflow.yml

@@ -39,48 +39,25 @@ jobs:
             toolchain: 17
     with:
       java-version: ${{ matrix.java-version }}
-      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=6.2.+ -PreactorVersion=2023.0.+ -PspringDataVersion=2024.0.+ --stacktrace
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
     secrets: inherit
-  check-samples:
-    name: Check Samples
-    runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'spring-projects' }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: 17
-          distribution: temurin
-      - name: Check samples project
-        env:
-          LOCAL_REPOSITORY_PATH: ${{ github.workspace }}/build/publications/repos
-          SAMPLES_DIR: ../spring-security-samples
-        run: |
-          # Extract version from gradle.properties
-          version=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
-          # Extract samplesBranch from gradle.properties
-          samples_branch=$(cat gradle.properties | grep "samplesBranch=" | awk -F'=' '{print $2}')
-          ./gradlew publishMavenJavaPublicationToLocalRepository
-          ./gradlew cloneRepository -PrepositoryName="spring-projects/spring-security-samples" -Pref="$samples_branch" -PcloneOutputDirectory="$SAMPLES_DIR"
-          ./gradlew --refresh-dependencies --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$version" test integrationTest
   deploy-artifacts:
     name: Deploy Artifacts
-    needs: [ build, test, check-samples ]
+    needs: [ build, test]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
     secrets: inherit
   deploy-docs:
     name: Deploy Docs
-    needs: [ build, test, check-samples ]
+    needs: [ build, test ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
     with:
       should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
-    needs: [ build, test, check-samples ]
+    needs: [ build, test ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}

.github/workflows/dependabot-auto-merge-forward.yml

@@ -1,57 +0,0 @@
-name: Auto Merge Forward Dependabot Commits
-
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: dependabot-auto-merge-forward
-
-jobs:
-  get-supported-branches:
-    uses: spring-io/spring-security-release-tools/.github/workflows/retrieve-spring-supported-versions.yml@actions-v1
-    with:
-      project: spring-security
-      type: oss
-      repository_name: spring-projects/spring-security
-
-  auto-merge-forward-dependabot:
-    name: Auto Merge Forward Dependabot Commits
-    runs-on: ubuntu-latest
-    needs: [get-supported-branches]
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
-      - name: Setup GitHub User
-        id: setup-gh-user
-        run: |
-          git config user.name 'github-actions[bot]'
-          git config user.email 'github-actions[bot]@users.noreply.github.com'
-      - name: Run Auto Merge Forward
-        id: run-auto-merge-forward
-        uses: spring-io/spring-security-release-tools/.github/actions/auto-merge-forward@actions-v1
-        with:
-          branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main
-          from-author: dependabot[bot]
-  notify_result:
-    name: Check for failures
-    needs: [ auto-merge-forward-dependabot ]
-    if: failure()
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-    steps:
-      - name: Send Slack message
-        uses: Gamesight/slack-workflow-status@v1.3.0
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
-          channel: '#spring-security-ci'
-          name: 'CI Notifier'

.github/workflows/gradle-wrapper-upgrade-execution.yml

@@ -4,7 +4,8 @@ on:
   schedule:
     - cron:  '0 2 * * *' # 2am UTC
   workflow_dispatch:
-
+permissions:
+  pull-requests: write
 jobs:
   upgrade_wrapper:
     name: Execution

.github/workflows/mark-duplicate-dependabot-prs.yml

@@ -1,45 +0,0 @@
-name: Mark Duplicate Dependabot PRs
-
-on:
-  pull_request:
-    types: [closed]
-
-jobs:
-  check_duplicate_prs:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.merged == true && github.event.pull_request.user.login == 'dependabot[bot]'
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v4
-
-      - name: Extract Dependency Name from PR Title
-        id: extract
-        run: |
-          PR_TITLE="${{ github.event.pull_request.title }}"
-          DEPENDENCY_NAME=$(echo "$PR_TITLE" | awk -F ' from ' '{print $1}')
-          echo "dependency_name=$DEPENDENCY_NAME" >> $GITHUB_OUTPUT
-
-      - name: Find PRs
-        id: find_duplicates
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          PRS=$(gh pr list --search 'milestone:${{ github.event.pull_request.milestone.title }} is:merged in:title "${{ steps.extract.outputs.dependency_name }}"' --json number --jq 'map(.number) | join(",")')
-          echo "prs=$PRS" >> $GITHUB_OUTPUT
-
-      - name: Label Duplicate PRs
-        if: steps.find_duplicates.outputs.prs != ''
-        env:
-          PRS: ${{ steps.find_duplicates.outputs.prs }}
-          CURRENT_PR_NUMBER: ${{ github.event.pull_request.number }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        shell: bash
-        run: |
-          for i in ${PRS//,/ }
-          do
-            if [ ! $i -eq "$CURRENT_PR_NUMBER" ]; then
-              echo "Marking PR $i as duplicate"
-              gh pr edit "$i" --add-label "status: duplicate"
-              gh pr comment "$i" --body "Duplicate of #$CURRENT_PR_NUMBER"
-            fi
-          done

.github/workflows/merge-dependabot-pr.yml

@@ -1,63 +0,0 @@
-name: Merge Dependabot PR
-
-on: pull_request_target
-
-run-name: Merge Dependabot PR ${{ github.ref_name }}
-
-permissions: write-all
-
-jobs:
-  merge-dependabot-pr:
-    name: Merge Dependabot PR
-    runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
-    steps:
-
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 17
-
-      - name: Set Milestone to Dependabot Pull Request
-        id: set-milestone
-        run: |
-          if test -f pom.xml
-          then
-            CURRENT_VERSION=$(mvn help:evaluate -Dexpression="project.version" -q -DforceStdout)
-          else
-            CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
-          fi
-          export CANDIDATE_VERSION=${CURRENT_VERSION/-SNAPSHOT}
-          MILESTONE=$(gh api repos/$GITHUB_REPOSITORY/milestones --jq 'map(select(.due_on != null and (.title | startswith(env.CANDIDATE_VERSION)))) | .[0] | .title')
-          
-          if [ -z $MILESTONE ]
-          then
-            gh run cancel ${{ github.run_id }}
-            echo "::warning title=Cannot merge::No scheduled milestone for $CURRENT_VERSION version"
-          else
-            gh pr edit ${{ github.event.pull_request.number }} --milestone $MILESTONE
-            echo mergeEnabled=true >> $GITHUB_OUTPUT
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Merge Dependabot pull request
-        if: steps.set-milestone.outputs.mergeEnabled
-        run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase
-        env:
-          GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
-  send-notification:
-    name: Send Notification
-    needs: [ merge-dependabot-pr ]
-    if: ${{ failure() || cancelled() }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Send Notification
-        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
-        with:
-          webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.4.x, 6.3.x ]
+        branch: [ main, 6.5.x, 6.4.x, 6.3.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

.github/workflows/trigger-dependabot-auto-merge-forward.yml

@@ -1,22 +0,0 @@
-name: Trigger Dependabot Auto Merge Forward
-
-on:
-  push:
-    branches:
-      - '*.x'
-
-permissions: read-all
-
-jobs:
-  trigger-worflow:
-    name: Trigger Workflow
-    runs-on: ubuntu-latest
-    if: ${{ github.event.commits[0].author.username == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@v4
-      - id: trigger
-        env:
-          GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
-        run: gh workflow run dependabot-auto-merge-forward.yml -r main

.github/workflows/update-antora-ui-spring.yml

@@ -18,7 +18,7 @@ jobs:
       matrix:
         branch: [ '5.8.x', '6.2.x', '6.3.x', 'main' ]
     steps:
-      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@852920ba3fb1f28b35a2f13201133bc00ef33677
+      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@e28269199d1d27975cf7f65e16d6095c555b3cd0
         name: Update
         with:
           docs-branch: ${{ matrix.branch }}
@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Update on docs-build
     steps:
-      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@852920ba3fb1f28b35a2f13201133bc00ef33677
+      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@e28269199d1d27975cf7f65e16d6095c555b3cd0
         name: Update
         with:
           docs-branch: 'docs-build'

.github/workflows/update-dependabot.yml

@@ -1,36 +0,0 @@
-name: Update dependabot.yml
-
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-
-  get-supported-branches:
-    uses: spring-io/spring-security-release-tools/.github/workflows/retrieve-spring-supported-versions.yml@actions-v1
-    with:
-      project: spring-security
-      type: oss
-      repository_name: spring-projects/spring-security
-
-  main:
-    runs-on: ubuntu-latest
-    needs: [get-supported-branches]
-    if: ${{ (github.repository == 'spring-projects/spring-security') && (github.ref == 'refs/heads/main') }}
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-      - uses: spring-io/spring-security-release-tools/.github/actions/generate-dependabot-yml@actions-v1
-        name: Update dependabot.yml
-        with:
-          gradle-branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main
-          github-actions-branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main,docs-build
-          gh-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: stefanzweifel/git-auto-commit-action@v5
-        with:
-          commit_message: Update dependabot.yml

CONTRIBUTING.adoc

@@ -79,7 +79,10 @@ See https://github.com/spring-projects/spring-security/tree/main#building-from-s
 
 The wiki pages https://github.com/spring-projects/spring-framework/wiki/Code-Style[Code Style] and https://github.com/spring-projects/spring-framework/wiki/IntelliJ-IDEA-Editor-Settings[IntelliJ IDEA Editor Settings] define the source file coding standards we use along with some IDEA editor settings we customize.
 
-To format the code as well as check the style, run `./gradlew format check`.
+Additionally, since Streams are https://github.com/spring-projects/spring-security/issues/7154[much slower] than `for` loops, please use them judiciously.
+The team may ask you to change to a `for` loop if the given code is along a hot path.
+
+To format the code as well as check the style, run `./gradlew format && ./gradlew check`.
 
 [[submit-a-pull-request]]
 === Submit a Pull Request
@@ -104,7 +107,7 @@ If this is for an issue, consider a branch name with the issue number, like `gh-
 6. [[update-copyright]] In all files you edited, if the copyright header is of the form 2002-20xx, update the final copyright year to the current year.
 7. [[add-since]] If on `main`, add `@since` JavaDoc attributes to new public APIs that your PR adds
 8. [[change-rnc]] If you are updating the XSD, please instead update the RNC file and then run `./gradlew :spring-security-config:rncToXsd`.
-9. [[format-code]] For each commit, build the code using `./gradlew format check`.
+9. [[format-code]] For each commit, build the code using `./gradlew format && ./gradlew check`.
 This command ensures the code meets most of <<code-style,the style guide>>; a notable exception is import order.
 10. [[commit-atomically]] Choose the granularity of your commits consciously and squash commits that represent
 multiple edits or corrections of the same logical change.

acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java

@@ -96,7 +96,11 @@ import org.springframework.util.StringUtils;
  * All comparisons and prefixes are case sensitive.
  *
  * @author Ben Alex
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")}
  */
+@Deprecated
 public class AclEntryVoter extends AbstractAclVoter {
 
 	private static final Log logger = LogFactory.getLog(AclEntryVoter.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/AbstractAclProvider.java

@@ -20,6 +20,7 @@ import java.util.List;
 
 import org.springframework.security.access.AfterInvocationProvider;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.domain.ObjectIdentityRetrievalStrategyImpl;
 import org.springframework.security.acls.domain.SidRetrievalStrategyImpl;
 import org.springframework.security.acls.model.Acl;
@@ -39,7 +40,11 @@ import org.springframework.util.ObjectUtils;
  * services.
  *
  * @author Ben Alex
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostAuthorize("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public abstract class AbstractAclProvider implements AfterInvocationProvider {
 
 	protected final AclService aclService;

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java

@@ -26,6 +26,7 @@ import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.model.AclService;
 import org.springframework.security.acls.model.Permission;
 import org.springframework.security.core.Authentication;
@@ -62,7 +63,11 @@ import org.springframework.security.core.Authentication;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostFilter("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public class AclEntryAfterInvocationCollectionFilteringProvider extends AbstractAclProvider {
 
 	protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationCollectionFilteringProvider.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java

@@ -27,6 +27,7 @@ import org.springframework.context.MessageSourceAware;
 import org.springframework.context.support.MessageSourceAccessor;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.model.AclService;
 import org.springframework.security.acls.model.Permission;
 import org.springframework.security.core.Authentication;
@@ -59,7 +60,12 @@ import org.springframework.security.core.SpringSecurityMessageSource;
  * granted and <code>null</code> will be returned.
  * <p>
  * All comparisons and prefixes are case sensitive.
+ *
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostAuthorize("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements MessageSourceAware {
 
 	protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationProvider.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/ArrayFilterer.java

@@ -32,7 +32,9 @@ import org.springframework.core.log.LogMessage;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please see {@code PostFilter}
  */
+@Deprecated
 class ArrayFilterer<T> implements Filterer<T> {
 
 	protected static final Log logger = LogFactory.getLog(ArrayFilterer.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/CollectionFilterer.java

@@ -31,7 +31,9 @@ import org.springframework.core.log.LogMessage;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please see {@code PostFilter}
  */
+@Deprecated
 class CollectionFilterer<T> implements Filterer<T> {
 
 	protected static final Log logger = LogFactory.getLog(CollectionFilterer.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/Filterer.java

@@ -23,7 +23,9 @@ import java.util.Iterator;
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please use {@code PreFilter} and {@code @PostFilter} instead
  */
+@Deprecated
 interface Filterer<T> extends Iterable<T> {
 
 	/**

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcAclService.java

@@ -100,8 +100,8 @@ public class JdbcAclService implements AclService {
 	@Override
 	public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
 		Object[] args = { parentIdentity.getIdentifier().toString(), parentIdentity.getType() };
-		List<ObjectIdentity> objects = this.jdbcOperations.query(this.findChildrenSql, args,
-				(rs, rowNum) -> mapObjectIdentityRow(rs));
+		List<ObjectIdentity> objects = this.jdbcOperations.query(this.findChildrenSql,
+				(rs, rowNum) -> mapObjectIdentityRow(rs), args);
 		return (!objects.isEmpty()) ? objects : null;
 	}
 

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java

@@ -190,8 +190,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @return the primary key or null if not found
 	 */
 	protected Long createOrRetrieveClassPrimaryKey(String type, boolean allowCreate, Class idType) {
-		List<Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, new Object[] { type },
-				Long.class);
+		List<Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, Long.class, type);
 
 		if (!classIds.isEmpty()) {
 			return classIds.get(0);
@@ -242,8 +241,8 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @return the primary key or null if not found
 	 */
 	protected Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal, boolean allowCreate) {
-		List<Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey,
-				new Object[] { sidIsPrincipal, sidName }, Long.class);
+		List<Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey, Long.class, sidIsPrincipal,
+				sidName);
 		if (!sidIds.isEmpty()) {
 			return sidIds.get(0);
 		}

acl/src/test/java/org/springframework/security/acls/jdbc/JdbcAclServiceTests.java

@@ -109,7 +109,7 @@ public class JdbcAclServiceTests {
 		List<ObjectIdentity> result = new ArrayList<>();
 		result.add(new ObjectIdentityImpl(Object.class, "5577"));
 		Object[] args = { "1", "org.springframework.security.acls.jdbc.JdbcAclServiceTests$MockLongIdDomainObject" };
-		given(this.jdbcOperations.query(anyString(), eq(args), any(RowMapper.class))).willReturn(result);
+		given(this.jdbcOperations.query(anyString(), any(RowMapper.class), eq(args))).willReturn(result);
 		ObjectIdentity objectIdentity = new ObjectIdentityImpl(MockLongIdDomainObject.class, 1L);
 		List<ObjectIdentity> objectIdentities = this.aclService.findChildren(objectIdentity);
 		assertThat(objectIdentities).hasSize(1);

aspects/src/test/java/org/springframework/security/authorization/method/aspectj/PreAuthorizeAspectTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -144,7 +144,7 @@ public class PreAuthorizeAspectTests {
 		protected void protectedMethod() {
 		}
 
-		@PreAuthorize("hasRole('X')")
+		@PreAuthorize("hasRole('A')")
 		void publicCallsPrivate() {
 			privateMethod();
 		}

build.gradle

@@ -124,7 +124,7 @@ wrapperUpgrade {
 	gradle {
 		'spring-security' {
 			repo = 'spring-projects/spring-security'
-			baseBranch = '6.2.x' // runs only on 6.2.x and the update is merged forward to main
+			baseBranch = '6.3.x' // runs only on 6.3.x and the update is merged forward to main
 		}
 	}
 }

buildSrc/src/main/groovy/io/spring/gradle/convention/ManagementConfigurationPlugin.java

@@ -61,7 +61,7 @@ public class ManagementConfigurationPlugin implements Plugin<Project> {
 				PublishingExtension publishing = project.getExtensions().getByType(PublishingExtension.class);
 				publishing.getPublications().withType(MavenPublication.class, (mavenPublication -> {
 					mavenPublication.versionMapping((versions) ->
-							versions.allVariants(versionMapping -> versionMapping.fromResolutionResult())
+							versions.allVariants((versionMapping) -> versionMapping.fromResolutionResult())
 					);
 				}));
 			});
@@ -71,4 +71,4 @@ public class ManagementConfigurationPlugin implements Plugin<Project> {
 			}));
 		});
 	}
-}
+}

buildSrc/src/main/groovy/io/spring/gradle/convention/RepositoryConventionPlugin.groovy

@@ -80,6 +80,11 @@ class RepositoryConventionPlugin implements Plugin<Project> {
 				}
 				url = 'https://repo.spring.io/release/'
 			}
+			forceMavenRepositories.findAll { it.startsWith('https://') || it.startsWith('file://') }.each { mavenUrl ->
+				maven {
+					url mavenUrl
+				}
+			}
 		}
 	}
 

buildSrc/src/main/groovy/io/spring/gradle/convention/SchemaZipPlugin.groovy

@@ -32,10 +32,13 @@ public class SchemaZipPlugin implements Plugin<Project> {
 				for (def key : schemas.keySet()) {
 					def shortName = key.replaceAll(/http.*schema.(.*).spring-.*/, '$1')
 					assert shortName != key
+					def schemaResourceName = schemas.get(key)
 					File xsdFile = module.sourceSets.main.resources.find {
-						it.path.endsWith(schemas.get(key))
+						it.path.endsWith(schemaResourceName)
+					}
+					if (xsdFile == null) {
+						throw new IllegalStateException("Could not find schema file for resource name " + schemaResourceName + " in src/main/resources")
 					}
-					assert xsdFile != null
 					schemaZip.into (shortName) {
 						duplicatesStrategy 'exclude'
 						from xsdFile.path

buildSrc/src/main/java/org/springframework/gradle/classpath/CheckClasspathForProhibitedDependencies.java

@@ -81,9 +81,6 @@ public class CheckClasspathForProhibitedDependencies extends DefaultTask {
 		if (group.startsWith("javax")) {
 			return true;
 		}
-		if (group.equals("commons-logging")) {
-			return true;
-		}
 		if (group.equals("org.slf4j") && id.getName().equals("jcl-over-slf4j")) {
 			return true;
 		}

buildSrc/src/main/java/org/springframework/security/CheckExpectedBranchVersionPlugin.java

@@ -46,7 +46,7 @@ public class CheckExpectedBranchVersionPlugin implements Plugin<Project> {
 			task.setDescription("Check if the project version matches the branch version");
 			task.onlyIf("skipCheckExpectedBranchVersion property is false or not present", CheckExpectedBranchVersionPlugin::skipPropertyFalseOrNotPresent);
 			task.getVersion().convention(project.provider(() -> project.getVersion().toString()));
-			task.getBranchName().convention(project.getProviders().exec(execSpec -> execSpec.setCommandLine("git", "symbolic-ref", "--short", "HEAD")).getStandardOutput().getAsText());
+			task.getBranchName().convention(project.getProviders().exec((execSpec) -> execSpec.setCommandLine("git", "symbolic-ref", "--short", "HEAD")).getStandardOutput().getAsText());
 			task.getOutputFile().convention(project.getLayout().getBuildDirectory().file("check-expected-branch-version"));
 		});
 		project.getTasks().named(JavaBasePlugin.CHECK_TASK_NAME, checkTask -> checkTask.dependsOn(checkExpectedBranchVersionTask));

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

@@ -51,6 +51,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.SavedRequest;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
@@ -215,6 +216,8 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 
 	public CasAuthenticationFilter() {
 		super("/login/cas");
+		RequestMatcher processUri = PathPatternRequestMatcher.withDefaults().matcher("/login/cas");
+		setRequiresAuthenticationRequestMatcher(processUri);
 		setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
 		setSecurityContextRepository(this.securityContextRepository);
 	}
@@ -319,6 +322,18 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 		super.setAuthenticationFailureHandler(new CasAuthenticationFailureHandler(failureHandler));
 	}
 
+	/**
+	 * Use this {@code RequestMatcher} to match proxy receptor requests. Without setting
+	 * this matcher, {@link CasAuthenticationFilter} will not capture any proxy receptor
+	 * requets.
+	 * @param proxyReceptorMatcher the {@link RequestMatcher} to use
+	 * @since 6.5
+	 */
+	public final void setProxyReceptorMatcher(RequestMatcher proxyReceptorMatcher) {
+		Assert.notNull(proxyReceptorMatcher, "proxyReceptorMatcher cannot be null");
+		this.proxyReceptorMatcher = proxyReceptorMatcher;
+	}
+
 	public final void setProxyReceptorUrl(final String proxyReceptorUrl) {
 		this.proxyReceptorMatcher = new AntPathRequestMatcher("/**" + proxyReceptorUrl);
 	}

cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationFilterTests.java

@@ -43,6 +43,7 @@ import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -78,7 +79,7 @@ public class CasAuthenticationFilterTests {
 
 	@Test
 	public void testNormalOperation() throws Exception {
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login/cas");
 		request.setServletPath("/login/cas");
 		request.addParameter("ticket", "ST-0-ER94xMJmn6pha35CQRoZ");
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
@@ -103,7 +104,7 @@ public class CasAuthenticationFilterTests {
 		String url = "/login/cas";
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", url);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
@@ -132,10 +133,11 @@ public class CasAuthenticationFilterTests {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
 		filter.setServiceProperties(properties);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", url);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
+		request = new MockHttpServletRequest("POST", "/other");
 		request.setServletPath("/other");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		request.setParameter(properties.getArtifactParameter(), "value");
@@ -170,7 +172,7 @@ public class CasAuthenticationFilterTests {
 		given(manager.authenticate(any(Authentication.class))).willReturn(authentication);
 		ServiceProperties serviceProperties = new ServiceProperties();
 		serviceProperties.setAuthenticateAllArtifacts(true);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/authenticate");
 		request.setParameter("ticket", "ST-1-123");
 		request.setServletPath("/authenticate");
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -266,4 +268,20 @@ public class CasAuthenticationFilterTests {
 		verify(securityContextRepository).setContext(any(SecurityContext.class));
 	}
 
+	@Test
+	public void requiresAuthenticationWhenProxyRequestMatcherThenMatches() {
+		CasAuthenticationFilter filter = new CasAuthenticationFilter();
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/pgtCallback");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setServletPath("/pgtCallback");
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+		filter.setProxyReceptorMatcher(PathPatternRequestMatcher.withDefaults().matcher(request.getServletPath()));
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
+		assertThat(filter.requiresAuthentication(request, response)).isTrue();
+		request.setRequestURI("/other");
+		request.setServletPath("/other");
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+	}
+
 }

config/spring-security-config.gradle

@@ -78,12 +78,6 @@ dependencies {
 		exclude group: 'commons-logging', module: 'commons-logging'
 		exclude group: 'xml-apis', module: 'xml-apis'
 	}
-	testImplementation "org.apache.directory.server:apacheds-core"
-	testImplementation "org.apache.directory.server:apacheds-core-entry"
-	testImplementation "org.apache.directory.server:apacheds-protocol-shared"
-	testImplementation "org.apache.directory.server:apacheds-protocol-ldap"
-	testImplementation "org.apache.directory.server:apacheds-server-jndi"
-	testImplementation 'org.apache.directory.shared:shared-ldap'
 	testImplementation "com.unboundid:unboundid-ldapsdk"
 	testImplementation 'jakarta.persistence:jakarta.persistence-api'
 	testImplementation "org.hibernate.orm:hibernate-core"
@@ -127,6 +121,7 @@ dependencies {
 
 	testRuntimeOnly 'org.hsqldb:hsqldb'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+	testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
 }
 
 def rncToXsd = tasks.named('rncToXsd', RncToXsd)

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java

@@ -44,7 +44,7 @@ import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMap
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.test.web.servlet.MockMvc;
@@ -326,11 +326,11 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests {
 	abstract static class BaseLdapServerConfig extends BaseLdapProviderConfig {
 
 		@Bean
-		ApacheDSContainer ldapServer() throws Exception {
-			ApacheDSContainer apacheDSContainer = new ApacheDSContainer("dc=springframework,dc=org",
+		UnboundIdContainer ldapServer() throws Exception {
+			UnboundIdContainer unboundIdContainer = new UnboundIdContainer("dc=springframework,dc=org",
 					"classpath:/test-server.ldif");
-			apacheDSContainer.setPort(getPort());
-			return apacheDSContainer;
+			unboundIdContainer.setPort(getPort());
+			return unboundIdContainer;
 		}
 
 	}

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketITests.java

@@ -74,8 +74,7 @@ public class HelloRSocketITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketObservationITests.java

@@ -87,8 +87,7 @@ public class HelloRSocketObservationITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketWithWebFluxITests.java

@@ -74,8 +74,7 @@ public class HelloRSocketWithWebFluxITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/JwtITests.java

@@ -86,8 +86,7 @@ public class JwtITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 			.payloadDecoder(PayloadDecoder.ZERO_COPY)
-			.interceptors((registry) ->
-				registry.forSocketAcceptor(this.interceptor)
+			.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 			)
 			.acceptor(this.handler.responder())
 			.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/RSocketMessageHandlerConnectionITests.java

@@ -81,8 +81,7 @@ public class RSocketMessageHandlerConnectionITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/RSocketMessageHandlerITests.java

@@ -79,8 +79,7 @@ public class RSocketMessageHandlerITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/SimpleAuthenticationITests.java

@@ -79,8 +79,7 @@ public class SimpleAuthenticationITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) ->
-					registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/ldap/LdapBindAuthenticationManagerFactoryITests.java

@@ -43,7 +43,7 @@ import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMap
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;
@@ -226,18 +226,18 @@ public class LdapBindAuthenticationManagerFactoryITests {
 	@EnableWebSecurity
 	abstract static class BaseLdapServerConfig implements DisposableBean {
 
-		private ApacheDSContainer container;
+		private UnboundIdContainer container;
 
 		@Bean
-		ApacheDSContainer ldapServer() throws Exception {
-			this.container = new ApacheDSContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
+		UnboundIdContainer ldapServer() {
+			this.container = new UnboundIdContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
 			this.container.setPort(0);
 			return this.container;
 		}
 
 		@Bean
-		BaseLdapPathContextSource contextSource(ApacheDSContainer container) {
-			int port = container.getLocalPort();
+		BaseLdapPathContextSource contextSource(UnboundIdContainer container) {
+			int port = container.getPort();
 			return new DefaultSpringSecurityContextSource("ldap://localhost:" + port + "/dc=springframework,dc=org");
 		}
 

config/src/integration-test/java/org/springframework/security/config/ldap/LdapPasswordComparisonAuthenticationManagerFactoryITests.java

@@ -31,7 +31,7 @@ import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
@@ -93,18 +93,18 @@ public class LdapPasswordComparisonAuthenticationManagerFactoryITests {
 	@EnableWebSecurity
 	abstract static class BaseLdapServerConfig implements DisposableBean {
 
-		private ApacheDSContainer container;
+		private UnboundIdContainer container;
 
 		@Bean
-		ApacheDSContainer ldapServer() throws Exception {
-			this.container = new ApacheDSContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
+		UnboundIdContainer ldapServer() {
+			this.container = new UnboundIdContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
 			this.container.setPort(0);
 			return this.container;
 		}
 
 		@Bean
-		BaseLdapPathContextSource contextSource(ApacheDSContainer container) {
-			int port = container.getLocalPort();
+		BaseLdapPathContextSource contextSource(UnboundIdContainer container) {
+			int port = container.getPort();
 			return new DefaultSpringSecurityContextSource("ldap://localhost:" + port + "/dc=springframework,dc=org");
 		}
 

config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java

@@ -56,7 +56,7 @@ public class LdapProviderBeanDefinitionParserTests {
 		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
 				AuthenticationManager.class);
 		Authentication auth = authenticationManager
-			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
+			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("otherben", "otherbenspassword"));
 		UserDetails ben = (UserDetails) auth.getPrincipal();
 		assertThat(ben.getAuthorities()).hasSize(3);
 	}
@@ -127,6 +127,27 @@ public class LdapProviderBeanDefinitionParserTests {
 		assertThat(auth).isNotNull();
 	}
 
+	@Test
+	public void supportsShaPasswordEncoder() {
+		this.appCtx = new InMemoryXmlApplicationContext("""
+				<ldap-server ldif='classpath:test-server.ldif' port='0'/>
+				<authentication-manager>
+					<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>
+						<password-compare>
+							<password-encoder ref='pe' />
+						</password-compare>
+					</ldap-authentication-provider>
+				</authentication-manager>
+				<b:bean id='pe' class='org.springframework.security.crypto.password.LdapShaPasswordEncoder' />
+				""");
+		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
+				AuthenticationManager.class);
+		Authentication auth = authenticationManager
+			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
+
+		assertThat(auth).isNotNull();
+	}
+
 	@Test
 	public void inetOrgContextMapperIsSupported() {
 		this.appCtx = new InMemoryXmlApplicationContext(

config/src/integration-test/java/org/springframework/security/config/ldap/LdapServerBeanDefinitionParserTests.java

@@ -26,7 +26,7 @@ import org.springframework.ldap.core.LdapTemplate;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -92,9 +92,9 @@ public class LdapServerBeanDefinitionParserTests {
 	@Test
 	public void defaultLdifFileIsSuccessful() {
 		this.appCtx = new InMemoryXmlApplicationContext("<ldap-server/>");
-		ApacheDSContainer dsContainer = this.appCtx.getBean(ApacheDSContainer.class);
+		UnboundIdContainer dsContainer = this.appCtx.getBean(UnboundIdContainer.class);
 
-		assertThat(ReflectionTestUtils.getField(dsContainer, "ldifResources")).isEqualTo("classpath*:*.ldif");
+		assertThat(ReflectionTestUtils.getField(dsContainer, "ldif")).isEqualTo("classpath*:*.ldif");
 	}
 
 	private int getDefaultPort() throws IOException {

config/src/integration-test/resources/logback-test.xml

@@ -7,7 +7,6 @@
 
 	<logger name="org.springframework.security" level="${sec.log.level:-WARN}"/>
 
-	<logger name="org.apache.directory" level="ERROR"/>
 	<logger name="JdbmTable" level="INFO"/>
 	<logger name="JdbmIndex" level="INFO"/>
 	<logger name="org.apache.mina" level="WARN"/>

config/src/main/java/org/springframework/security/config/BeanIds.java

@@ -54,8 +54,6 @@ public abstract class BeanIds {
 
 	public static final String METHOD_SECURITY_METADATA_SOURCE_ADVISOR = PREFIX + "methodSecurityMetadataSourceAdvisor";
 
-	public static final String EMBEDDED_APACHE_DS = PREFIX + "apacheDirectoryServerContainer";
-
 	public static final String EMBEDDED_UNBOUNDID = PREFIX + "unboundidServerContainer";
 
 	public static final String CONTEXT_SOURCE = PREFIX + "securityContextSource";

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -96,7 +96,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 			pc.getReaderContext()
 				.fatal("You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or "
 						+ "spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd schema "
-						+ "with Spring Security 6.5. Please update your schema declarations to the 6.5 schema.",
+						+ "with Spring Security 7.0. Please update your schema declarations to the 7.0 schema.",
 						element);
 		}
 		String name = pc.getDelegate().getLocalName(element);
@@ -221,7 +221,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 
 	private boolean matchesVersionInternal(Element element) {
 		String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-		return schemaLocation.matches("(?m).*spring-security-6\\.5.*.xsd.*")
+		return schemaLocation.matches("(?m).*spring-security-7\\.0.*.xsd.*")
 				|| schemaLocation.matches("(?m).*spring-security.xsd.*")
 				|| !schemaLocation.matches("(?m).*spring-security.*");
 	}

config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java

@@ -50,17 +50,6 @@ public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
 	public void configure(B builder) throws Exception {
 	}
 
-	/**
-	 * Return the {@link SecurityBuilder} when done using the {@link SecurityConfigurer}.
-	 * This is useful for method chaining.
-	 * @return the {@link SecurityBuilder} for further customizations
-	 * @deprecated For removal in 7.0. Use the lambda based configuration instead.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public B and() {
-		return getBuilder();
-	}
-
 	/**
 	 * Gets the {@link SecurityBuilder}. Cannot be null.
 	 * @return the {@link SecurityBuilder}

config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java

@@ -67,9 +67,7 @@ public class AuthenticationManagerBuilder
 
 	/**
 	 * Creates a new instance
-	 * @param objectPostProcessor the
-	 * {@link org.springframework.security.config.annotation.ObjectPostProcessor} instance
-	 * to use.
+	 * @param objectPostProcessor the {@link ObjectPostProcessor} instance to use.
 	 */
 	public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
 		super(objectPostProcessor, true);

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java

@@ -25,7 +25,6 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
-import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@@ -38,7 +37,6 @@ import org.springframework.security.ldap.authentication.LdapAuthenticator;
 import org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator;
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.ldap.search.LdapUserSearch;
-import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.security.ldap.server.UnboundIdContainer;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper;
@@ -61,12 +59,8 @@ import org.springframework.util.ClassUtils;
 public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuilder<B>>
 		extends SecurityConfigurerAdapter<AuthenticationManager, B> {
 
-	private static final String APACHEDS_CLASSNAME = "org.apache.directory.server.core.DefaultDirectoryService";
-
 	private static final String UNBOUNDID_CLASSNAME = "com.unboundid.ldap.listener.InMemoryDirectoryServer";
 
-	private static final boolean apacheDsPresent;
-
 	private static final boolean unboundIdPresent;
 
 	private String groupRoleAttribute = "cn";
@@ -101,7 +95,6 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 
 	static {
 		ClassLoader classLoader = LdapAuthenticationProviderConfigurer.class.getClassLoader();
-		apacheDsPresent = ClassUtils.isPresent(APACHEDS_CLASSNAME, classLoader);
 		unboundIdPresent = ClassUtils.isPresent(UNBOUNDID_CLASSNAME, classLoader);
 	}
 
@@ -133,7 +126,7 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 	/**
 	 * Adds an {@link ObjectPostProcessor} for this class.
 	 * @param objectPostProcessor
-	 * @return the {@link ChannelSecurityConfigurer} for further customizations
+	 * @return the {@link LdapAuthenticationProviderConfigurer} for further customizations
 	 */
 	public LdapAuthenticationProviderConfigurer<B> withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) {
 		addObjectPostProcessor(objectPostProcessor);
@@ -393,6 +386,10 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 		return this;
 	}
 
+	public B and() {
+		return getBuilder();
+	}
+
 	@Override
 	public void configure(B builder) throws Exception {
 		LdapAuthenticationProvider provider = postProcess(build());
@@ -468,8 +465,6 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 	 */
 	public final class ContextSourceBuilder {
 
-		private static final String APACHEDS_CLASSNAME = "org.apache.directory.server.core.DefaultDirectoryService";
-
 		private static final String UNBOUNDID_CLASSNAME = "com.unboundid.ldap.listener.InMemoryDirectoryServer";
 
 		private static final int DEFAULT_PORT = 33389;
@@ -585,14 +580,8 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 			return contextSource;
 		}
 
-		private void startEmbeddedLdapServer() throws Exception {
-			if (apacheDsPresent) {
-				ApacheDSContainer apacheDsContainer = new ApacheDSContainer(this.root, this.ldif);
-				apacheDsContainer.setPort(getPort());
-				postProcess(apacheDsContainer);
-				this.port = apacheDsContainer.getLocalPort();
-			}
-			else if (unboundIdPresent) {
+		private void startEmbeddedLdapServer() {
+			if (unboundIdPresent) {
 				UnboundIdContainer unboundIdContainer = new UnboundIdContainer(this.root, this.ldif);
 				unboundIdContainer.setPort(getPort());
 				postProcess(unboundIdContainer);

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/provisioning/InMemoryUserDetailsManagerConfigurer.java

@@ -41,4 +41,8 @@ public class InMemoryUserDetailsManagerConfigurer<B extends ProviderManagerBuild
 		super(new InMemoryUserDetailsManager(new ArrayList<>()));
 	}
 
+	public B and() {
+		return getBuilder();
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java

@@ -17,6 +17,7 @@
 package org.springframework.security.config.annotation.method.configuration;
 
 import java.util.ArrayList;
+import java.util.List;
 
 import org.aopalliance.intercept.MethodInterceptor;
 
@@ -31,6 +32,7 @@ import org.springframework.security.aot.hint.SecurityHintsRegistrar;
 import org.springframework.security.authorization.AuthorizationProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
 import org.springframework.security.authorization.method.AuthorizeReturnObjectMethodInterceptor;
 import org.springframework.security.config.Customizer;
 
@@ -40,21 +42,23 @@ final class AuthorizationProxyConfiguration implements AopInfrastructureBean {
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static AuthorizationAdvisorProxyFactory authorizationProxyFactory(
+			ObjectProvider<AuthorizationAdvisor> authorizationAdvisors, ObjectProvider<TargetVisitor> targetVisitors,
 			ObjectProvider<Customizer<AuthorizationAdvisorProxyFactory>> customizers) {
-		AuthorizationAdvisorProxyFactory factory = new AuthorizationAdvisorProxyFactory(new ArrayList<>());
+		List<AuthorizationAdvisor> advisors = new ArrayList<>();
+		authorizationAdvisors.forEach(advisors::add);
+		List<TargetVisitor> visitors = new ArrayList<>();
+		targetVisitors.orderedStream().forEach(visitors::add);
+		visitors.add(TargetVisitor.defaults());
+		AuthorizationAdvisorProxyFactory factory = new AuthorizationAdvisorProxyFactory(advisors);
+		factory.setTargetVisitor(TargetVisitor.of(visitors.toArray(TargetVisitor[]::new)));
 		customizers.forEach((c) -> c.customize(factory));
 		return factory;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static MethodInterceptor authorizeReturnObjectMethodInterceptor(ObjectProvider<AuthorizationAdvisor> provider,
-			AuthorizationAdvisorProxyFactory authorizationProxyFactory) {
-		provider.forEach(authorizationProxyFactory::addAdvisor);
-		AuthorizeReturnObjectMethodInterceptor interceptor = new AuthorizeReturnObjectMethodInterceptor(
-				authorizationProxyFactory);
-		authorizationProxyFactory.addAdvisor(interceptor);
-		return interceptor;
+	static MethodInterceptor authorizeReturnObjectMethodInterceptor() {
+		return new AuthorizeReturnObjectMethodInterceptor();
 	}
 
 	@Bean

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyDataConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,13 +16,22 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import java.util.List;
+
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
+import org.springframework.core.Ordered;
+import org.springframework.data.domain.PageImpl;
+import org.springframework.data.domain.SliceImpl;
+import org.springframework.data.geo.GeoPage;
+import org.springframework.data.geo.GeoResult;
+import org.springframework.data.geo.GeoResults;
 import org.springframework.security.aot.hint.SecurityHintsRegistrar;
 import org.springframework.security.authorization.AuthorizationProxyFactory;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar;
 
 @Configuration(proxyBeanMethods = false)
@@ -34,4 +43,45 @@ final class AuthorizationProxyDataConfiguration implements AopInfrastructureBean
 		return new AuthorizeReturnObjectDataHintsRegistrar(proxyFactory);
 	}
 
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	DataTargetVisitor dataTargetVisitor() {
+		return new DataTargetVisitor();
+	}
+
+	private static final class DataTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
+
+		private static final int DEFAULT_ORDER = 200;
+
+		@Override
+		public Object visit(AuthorizationAdvisorProxyFactory proxyFactory, Object target) {
+			if (target instanceof GeoResults<?> geoResults) {
+				return new GeoResults<>(proxyFactory.proxy(geoResults.getContent()), geoResults.getAverageDistance());
+			}
+			if (target instanceof GeoResult<?> geoResult) {
+				return new GeoResult<>(proxyFactory.proxy(geoResult.getContent()), geoResult.getDistance());
+			}
+			if (target instanceof GeoPage<?> geoPage) {
+				GeoResults<?> results = new GeoResults<>(proxyFactory.proxy(geoPage.getContent()),
+						geoPage.getAverageDistance());
+				return new GeoPage<>(results, geoPage.getPageable(), geoPage.getTotalElements());
+			}
+			if (target instanceof PageImpl<?> page) {
+				List<?> content = proxyFactory.proxy(page.getContent());
+				return new PageImpl<>(content, page.getPageable(), page.getTotalElements());
+			}
+			if (target instanceof SliceImpl<?> slice) {
+				List<?> content = proxyFactory.proxy(slice.getContent());
+				return new SliceImpl<>(content, slice.getPageable(), slice.hasNext());
+			}
+			return null;
+		}
+
+		@Override
+		public int getOrder() {
+			return DEFAULT_ORDER;
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration;
+
+import java.util.List;
+import java.util.Map;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Role;
+import org.springframework.core.Ordered;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+import org.springframework.security.web.util.ThrowableAnalyzer;
+import org.springframework.web.servlet.HandlerExceptionResolver;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.View;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver;
+
+@Configuration
+class AuthorizationProxyWebConfiguration implements WebMvcConfigurer {
+
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	AuthorizationAdvisorProxyFactory.TargetVisitor webTargetVisitor() {
+		return new WebTargetVisitor();
+	}
+
+	@Override
+	public void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> resolvers) {
+		for (int i = 0; i < resolvers.size(); i++) {
+			HandlerExceptionResolver resolver = resolvers.get(i);
+			if (resolver instanceof DefaultHandlerExceptionResolver) {
+				resolvers.add(i, new AccessDeniedExceptionResolver());
+				return;
+			}
+		}
+		resolvers.add(new AccessDeniedExceptionResolver());
+	}
+
+	static class WebTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
+
+		private static final int DEFAULT_ORDER = 100;
+
+		@Override
+		public Object visit(AuthorizationAdvisorProxyFactory proxyFactory, Object target) {
+			if (target instanceof ResponseEntity<?> entity) {
+				return new ResponseEntity<>(proxyFactory.proxy(entity.getBody()), entity.getHeaders(),
+						entity.getStatusCode());
+			}
+			if (target instanceof HttpEntity<?> entity) {
+				return new HttpEntity<>(proxyFactory.proxy(entity.getBody()), entity.getHeaders());
+			}
+			if (target instanceof ModelAndView mav) {
+				View view = mav.getView();
+				String viewName = mav.getViewName();
+				Map<String, Object> model = proxyFactory.proxy(mav.getModel());
+				ModelAndView proxied = (view != null) ? new ModelAndView(view, model)
+						: new ModelAndView(viewName, model);
+				proxied.setStatus(mav.getStatus());
+				return proxied;
+			}
+			return null;
+		}
+
+		@Override
+		public int getOrder() {
+			return DEFAULT_ORDER;
+		}
+
+	}
+
+	static class AccessDeniedExceptionResolver implements HandlerExceptionResolver {
+
+		final ThrowableAnalyzer throwableAnalyzer = new ThrowableAnalyzer();
+
+		@Override
+		public ModelAndView resolveException(HttpServletRequest request, HttpServletResponse response, Object handler,
+				Exception ex) {
+			Throwable[] causeChain = this.throwableAnalyzer.determineCauseChain(ex);
+			Throwable accessDeniedException = this.throwableAnalyzer
+				.getFirstThrowableOfType(AccessDeniedException.class, causeChain);
+			if (accessDeniedException != null) {
+				return new ModelAndView((model, req, res) -> {
+					throw ex;
+				});
+			}
+			return null;
+		}
+
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java

@@ -1,72 +0,0 @@
-/*
- * Copyright 2002-2022 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.method.configuration;
-
-import java.util.function.Supplier;
-
-import io.micrometer.observation.ObservationRegistry;
-import org.aopalliance.intercept.MethodInvocation;
-
-import org.springframework.beans.factory.ObjectProvider;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.AuthorizationResult;
-import org.springframework.security.authorization.ObservationAuthorizationManager;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodInvocationResult;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
-import org.springframework.security.core.Authentication;
-import org.springframework.util.function.SingletonSupplier;
-
-final class DeferringObservationAuthorizationManager<T>
-		implements AuthorizationManager<T>, MethodAuthorizationDeniedHandler {
-
-	private final Supplier<AuthorizationManager<T>> delegate;
-
-	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
-
-	DeferringObservationAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
-			AuthorizationManager<T> delegate) {
-		this.delegate = SingletonSupplier.of(() -> {
-			ObservationRegistry registry = provider.getIfAvailable(() -> ObservationRegistry.NOOP);
-			if (registry.isNoop()) {
-				return delegate;
-			}
-			return new ObservationAuthorizationManager<>(registry, delegate);
-		});
-		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
-			this.handler = h;
-		}
-	}
-
-	@Override
-	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
-		return this.delegate.get().check(authentication, object);
-	}
-
-	@Override
-	public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocation(methodInvocation, authorizationResult);
-	}
-
-	@Override
-	public Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocationResult(methodInvocationResult, authorizationResult);
-	}
-
-}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java

@@ -1,73 +0,0 @@
-/*
- * Copyright 2002-2023 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.method.configuration;
-
-import java.util.function.Supplier;
-
-import io.micrometer.observation.ObservationRegistry;
-import org.aopalliance.intercept.MethodInvocation;
-import reactor.core.publisher.Mono;
-
-import org.springframework.beans.factory.ObjectProvider;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationResult;
-import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
-import org.springframework.security.authorization.ReactiveAuthorizationManager;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodInvocationResult;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
-import org.springframework.security.core.Authentication;
-import org.springframework.util.function.SingletonSupplier;
-
-final class DeferringObservationReactiveAuthorizationManager<T>
-		implements ReactiveAuthorizationManager<T>, MethodAuthorizationDeniedHandler {
-
-	private final Supplier<ReactiveAuthorizationManager<T>> delegate;
-
-	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
-
-	DeferringObservationReactiveAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
-			ReactiveAuthorizationManager<T> delegate) {
-		this.delegate = SingletonSupplier.of(() -> {
-			ObservationRegistry registry = provider.getIfAvailable(() -> ObservationRegistry.NOOP);
-			if (registry.isNoop()) {
-				return delegate;
-			}
-			return new ObservationReactiveAuthorizationManager<>(registry, delegate);
-		});
-		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
-			this.handler = h;
-		}
-	}
-
-	@Override
-	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
-		return this.delegate.get().check(authentication, object);
-	}
-
-	@Override
-	public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocation(methodInvocation, authorizationResult);
-	}
-
-	@Override
-	public Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationResult authorizationResult) {
-		return this.handler.handleDeniedInvocationResult(methodInvocationResult, authorizationResult);
-	}
-
-}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,6 +41,9 @@ final class MethodSecuritySelector implements ImportSelector {
 	private static final boolean isDataPresent = ClassUtils
 		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
 
+	private static final boolean isWebPresent = ClassUtils
+		.isPresent("org.springframework.web.servlet.DispatcherServlet", null);
+
 	private static final boolean isObservabilityPresent = ClassUtils
 		.isPresent("io.micrometer.observation.ObservationRegistry", null);
 
@@ -67,6 +70,9 @@ final class MethodSecuritySelector implements ImportSelector {
 		if (isDataPresent) {
 			imports.add(AuthorizationProxyDataConfiguration.class.getName());
 		}
+		if (isWebPresent) {
+			imports.add(AuthorizationProxyWebConfiguration.class.getName());
+		}
 		if (isObservabilityPresent) {
 			imports.add(MethodObservationConfiguration.class.getName());
 		}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -83,10 +83,11 @@ final class ReactiveAuthorizationManagerMethodSecurityConfiguration
 
 	private final AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeMethodInterceptor;
 
-	@Autowired(required = false)
-	ReactiveAuthorizationManagerMethodSecurityConfiguration(MethodSecurityExpressionHandler expressionHandler,
+	ReactiveAuthorizationManagerMethodSecurityConfiguration(
+			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlers,
 			ObjectProvider<ObjectPostProcessor<ReactiveAuthorizationManager<MethodInvocation>>> preAuthorizePostProcessor,
 			ObjectProvider<ObjectPostProcessor<ReactiveAuthorizationManager<MethodInvocationResult>>> postAuthorizePostProcessor) {
+		MethodSecurityExpressionHandler expressionHandler = expressionHandlers.getIfUnique();
 		if (expressionHandler != null) {
 			this.preFilterMethodInterceptor = new PreFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
 			this.preAuthorizeAuthorizationManager = new PreAuthorizeReactiveAuthorizationManager(expressionHandler);

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecuritySelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,9 @@ class ReactiveMethodSecuritySelector implements ImportSelector {
 	private static final boolean isDataPresent = ClassUtils
 		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
 
+	private static final boolean isWebPresent = ClassUtils.isPresent("org.springframework.web.server.ServerWebExchange",
+			null);
+
 	private static final boolean isObservabilityPresent = ClassUtils
 		.isPresent("io.micrometer.observation.ObservationRegistry", null);
 
@@ -61,6 +64,9 @@ class ReactiveMethodSecuritySelector implements ImportSelector {
 		if (isDataPresent) {
 			imports.add(AuthorizationProxyDataConfiguration.class.getName());
 		}
+		if (isWebPresent) {
+			imports.add(AuthorizationProxyWebConfiguration.class.getName());
+		}
 		if (isObservabilityPresent) {
 			imports.add(ReactiveMethodObservationConfiguration.class.getName());
 		}

config/src/main/java/org/springframework/security/config/annotation/rsocket/PayloadInterceptorOrder.java

@@ -33,12 +33,16 @@ public enum PayloadInterceptorOrder implements Ordered {
 	/**
 	 * Where basic authentication is placed.
 	 * @see RSocketSecurity#basicAuthentication(Customizer)
+	 * @deprecated please see {@link PayloadInterceptorOrder#AUTHENTICATION}
 	 */
+	@Deprecated
 	BASIC_AUTHENTICATION,
 	/**
 	 * Where JWT based authentication is performed.
 	 * @see RSocketSecurity#jwt(Customizer)
+	 * @deprecated please see {@link PayloadInterceptorOrder#AUTHENTICATION}
 	 */
+	@Deprecated
 	JWT_AUTHENTICATION,
 	/**
 	 * A generic placeholder for other types of authentication.

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -41,7 +41,6 @@ import org.springframework.http.HttpMethod;
 import org.springframework.lang.Nullable;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.ServletRegistrationsSupport.RegistrationMapping;
-import org.springframework.security.config.annotation.web.configurers.AbstractConfigAttributeRequestMatcherRegistry;
 import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
@@ -170,7 +169,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 
 	/**
 	 * Associates a list of {@link RequestMatcher} instances with the
-	 * {@link AbstractConfigAttributeRequestMatcherRegistry}
+	 * {@link AbstractRequestMatcherRegistry}
 	 * @param requestMatchers the {@link RequestMatcher} instances
 	 * @return the object that is chained after creating the {@link RequestMatcher}
 	 */

config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -135,6 +135,7 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>>
 	 * <li>{@link DisableEncodeUrlFilter}</li>
 	 * <li>{@link ForceEagerSessionCreationFilter}</li>
 	 * <li>{@link ChannelProcessingFilter}</li>
+	 * <li>{@link org.springframework.security.web.transport.HttpsRedirectFilter}</li>
 	 * <li>{@link WebAsyncManagerIntegrationFilter}</li>
 	 * <li>{@link SecurityContextHolderFilter}</li>
 	 * <li>{@link SecurityContextPersistenceFilter}</li>

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -35,7 +35,9 @@ import org.springframework.core.ResolvableType;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.SingleResultAuthorizationManager;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder;
 import org.springframework.security.config.annotation.SecurityBuilder;
@@ -58,6 +60,8 @@ import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
+import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
 import org.springframework.security.web.firewall.HttpFirewall;
@@ -65,6 +69,7 @@ import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandle
 import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
 import org.springframework.util.Assert;
@@ -230,8 +235,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	/**
 	 * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is not
-	 * specified, then a {@link RequestMatcherDelegatingWebInvocationPrivilegeEvaluator}
-	 * will be created based on the list of {@link SecurityFilterChain}.
+	 * specified, then a {@link AuthorizationManagerWebInvocationPrivilegeEvaluator} will
+	 * be created based on the list of {@link SecurityFilterChain}.
 	 * @param privilegeEvaluator the {@link WebInvocationPrivilegeEvaluator} to use
 	 * @return the {@link WebSecurity} for further customizations
 	 */
@@ -300,24 +305,33 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 						+ ".addSecurityFilterChainBuilder directly");
 		int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();
 		List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
-		List<RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>>> requestMatcherPrivilegeEvaluatorsEntries = new ArrayList<>();
+		RequestMatcherDelegatingAuthorizationManager.Builder builder = RequestMatcherDelegatingAuthorizationManager
+			.builder();
+		boolean mappings = false;
 		for (RequestMatcher ignoredRequest : this.ignoredRequests) {
 			WebSecurity.this.logger.warn("You are asking Spring Security to ignore " + ignoredRequest
 					+ ". This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.");
 			SecurityFilterChain securityFilterChain = new DefaultSecurityFilterChain(ignoredRequest);
 			securityFilterChains.add(securityFilterChain);
-			requestMatcherPrivilegeEvaluatorsEntries
-				.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
+			builder.add(ignoredRequest, SingleResultAuthorizationManager.permitAll());
+			mappings = true;
 		}
 		for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
 			SecurityFilterChain securityFilterChain = securityFilterChainBuilder.build();
 			securityFilterChains.add(securityFilterChain);
-			requestMatcherPrivilegeEvaluatorsEntries
-				.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
+			mappings = addAuthorizationManager(securityFilterChain, builder) || mappings;
 		}
 		if (this.privilegeEvaluator == null) {
+			AuthorizationManager<HttpServletRequest> authorizationManager = mappings ? builder.build()
+					: SingleResultAuthorizationManager.permitAll();
+			AuthorizationManagerWebInvocationPrivilegeEvaluator privilegeEvaluator = new AuthorizationManagerWebInvocationPrivilegeEvaluator(
+					authorizationManager);
+			privilegeEvaluator.setServletContext(this.servletContext);
+			if (this.privilegeEvaluatorRequestTransformer != null) {
+				privilegeEvaluator.setRequestTransformer(this.privilegeEvaluatorRequestTransformer);
+			}
 			this.privilegeEvaluator = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
-					requestMatcherPrivilegeEvaluatorsEntries);
+					List.of(new RequestMatcherEntry<>(AnyRequestMatcher.INSTANCE, List.of(privilegeEvaluator))));
 		}
 		FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
 		if (this.httpFirewall != null) {
@@ -350,30 +364,33 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		return result;
 	}
 
-	private RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> getRequestMatcherPrivilegeEvaluatorsEntry(
-			SecurityFilterChain securityFilterChain) {
-		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = new ArrayList<>();
+	private boolean addAuthorizationManager(SecurityFilterChain securityFilterChain,
+			RequestMatcherDelegatingAuthorizationManager.Builder builder) {
+		boolean mappings = false;
 		for (Filter filter : securityFilterChain.getFilters()) {
-			if (filter instanceof FilterSecurityInterceptor) {
-				DefaultWebInvocationPrivilegeEvaluator defaultWebInvocationPrivilegeEvaluator = new DefaultWebInvocationPrivilegeEvaluator(
-						(FilterSecurityInterceptor) filter);
-				defaultWebInvocationPrivilegeEvaluator.setServletContext(this.servletContext);
-				privilegeEvaluators.add(defaultWebInvocationPrivilegeEvaluator);
+			if (filter instanceof FilterSecurityInterceptor securityInterceptor) {
+				DefaultWebInvocationPrivilegeEvaluator privilegeEvaluator = new DefaultWebInvocationPrivilegeEvaluator(
+						securityInterceptor);
+				privilegeEvaluator.setServletContext(this.servletContext);
+				AuthorizationManager<RequestAuthorizationContext> authorizationManager = (authentication, context) -> {
+					HttpServletRequest request = context.getRequest();
+					boolean result = privilegeEvaluator.isAllowed(request.getContextPath(), request.getRequestURI(),
+							request.getMethod(), authentication.get());
+					return new AuthorizationDecision(result);
+				};
+				builder.add(securityFilterChain::matches, authorizationManager);
+				mappings = true;
 				continue;
 			}
-			if (filter instanceof AuthorizationFilter) {
-				AuthorizationManager<HttpServletRequest> authorizationManager = ((AuthorizationFilter) filter)
-					.getAuthorizationManager();
-				AuthorizationManagerWebInvocationPrivilegeEvaluator evaluator = new AuthorizationManagerWebInvocationPrivilegeEvaluator(
-						authorizationManager);
-				evaluator.setServletContext(this.servletContext);
-				if (this.privilegeEvaluatorRequestTransformer != null) {
-					evaluator.setRequestTransformer(this.privilegeEvaluatorRequestTransformer);
-				}
-				privilegeEvaluators.add(evaluator);
+			if (filter instanceof AuthorizationFilter authorization) {
+				AuthorizationManager<HttpServletRequest> authorizationManager = authorization.getAuthorizationManager();
+				builder.add(securityFilterChain::matches,
+						(authentication, context) -> (AuthorizationDecision) authorizationManager
+							.authorize(authentication, context.getRequest()));
+				mappings = true;
 			}
 		}
-		return new RequestMatcherEntry<>(securityFilterChain::matches, privilegeEvaluators);
+		return mappings;
 	}
 
 	@Override

config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java

@@ -46,8 +46,9 @@ import org.springframework.security.web.SecurityFilterChain;
  *
  * 	@Bean
  * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- * 		http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest()
- * 				.hasRole("USER").and()
+ * 		http.authorizeHttpRequests((authorize) -> authorize
+ * 			.requestMatchers("/public/**").permitAll()
+ * 			.anyRequest().hasRole("USER"))
  * 				// Possibly more configuration ...
  * 				.formLogin() // enable form based log in
  * 				// set permitAll for all URLs associated with Form Login

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,6 +34,8 @@ import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.BeanDefinitionRegistry;
 import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.context.annotation.AnnotationBeanNameGenerator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -160,7 +162,7 @@ final class OAuth2ClientConfiguration {
 	 * @since 6.2.0
 	 */
 	static final class OAuth2AuthorizedClientManagerRegistrar
-			implements BeanDefinitionRegistryPostProcessor, BeanFactoryAware {
+			implements ApplicationEventPublisherAware, BeanDefinitionRegistryPostProcessor, BeanFactoryAware {
 
 		static final String BEAN_NAME = "authorizedClientManagerRegistrar";
 
@@ -179,6 +181,8 @@ final class OAuth2ClientConfiguration {
 
 		private final AnnotationBeanNameGenerator beanNameGenerator = new AnnotationBeanNameGenerator();
 
+		private ApplicationEventPublisher applicationEventPublisher;
+
 		private ListableBeanFactory beanFactory;
 
 		@Override
@@ -302,6 +306,10 @@ final class OAuth2ClientConfiguration {
 				authorizedClientProvider.setAccessTokenResponseClient(accessTokenResponseClient);
 			}
 
+			if (this.applicationEventPublisher != null) {
+				authorizedClientProvider.setApplicationEventPublisher(this.applicationEventPublisher);
+			}
+
 			return authorizedClientProvider;
 		}
 
@@ -423,6 +431,11 @@ final class OAuth2ClientConfiguration {
 			return objectProvider.getIfAvailable();
 		}
 
+		@Override
+		public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+			this.applicationEventPublisher = applicationEventPublisher;
+		}
+
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java

@@ -78,6 +78,8 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex
 
 	private static final String HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector";
 
+	private static final String PATH_PATTERN_REQUEST_TRANSFORMER_BEAN_NAME = "pathPatternRequestTransformer";
+
 	private BeanResolver beanResolver;
 
 	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
@@ -119,17 +121,6 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex
 		}
 	}
 
-	/**
-	 * Used to ensure Spring MVC request matching is cached.
-	 *
-	 * Creates a {@link BeanDefinitionRegistryPostProcessor} that detects if a bean named
-	 * HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME is defined. If so, it moves the
-	 * AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME to another bean name
-	 * and then adds a {@link CompositeFilter} that contains
-	 * {@link HandlerMappingIntrospector#createCacheFilter()} and the original
-	 * FilterChainProxy under the original Bean name.
-	 * @return
-	 */
 	@Bean
 	static BeanDefinitionRegistryPostProcessor springSecurityHandlerMappingIntrospectorBeanDefinitionRegistryPostProcessor() {
 		return new BeanDefinitionRegistryPostProcessor() {
@@ -144,12 +135,15 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex
 				}
 
 				String hmiRequestTransformerBeanName = HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME + "RequestTransformer";
-				if (!registry.containsBeanDefinition(hmiRequestTransformerBeanName)) {
-					BeanDefinition hmiRequestTransformer = BeanDefinitionBuilder
-						.rootBeanDefinition(HandlerMappingIntrospectorRequestTransformer.class)
-						.addConstructorArgReference(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)
-						.getBeanDefinition();
-					registry.registerBeanDefinition(hmiRequestTransformerBeanName, hmiRequestTransformer);
+				if (!registry.containsBeanDefinition(PATH_PATTERN_REQUEST_TRANSFORMER_BEAN_NAME)
+						&& !registry.containsBeanDefinition(hmiRequestTransformerBeanName)) {
+					if (!registry.containsBeanDefinition(hmiRequestTransformerBeanName)) {
+						BeanDefinition hmiRequestTransformer = BeanDefinitionBuilder
+							.rootBeanDefinition(HandlerMappingIntrospectorRequestTransformer.class)
+							.addConstructorArgReference(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)
+							.getBeanDefinition();
+						registry.registerBeanDefinition(hmiRequestTransformerBeanName, hmiRequestTransformer);
+					}
 				}
 
 				BeanDefinition filterChainProxy = registry
@@ -178,7 +172,11 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex
 	/**
 	 * {@link FactoryBean} to defer creation of
 	 * {@link HandlerMappingIntrospector#createCacheFilter()}
+	 *
+	 * @deprecated see {@link WebSecurityConfiguration} for
+	 * {@link org.springframework.web.util.pattern.PathPattern} replacement
 	 */
+	@Deprecated
 	static class HandlerMappingIntrospectorCacheFilterFactoryBean
 			implements ApplicationContextAware, FactoryBean<Filter> {
 
@@ -207,7 +205,11 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex
 	 * Extends {@link FilterChainProxy} to provide as much passivity as possible but
 	 * delegates to {@link CompositeFilter} for
 	 * {@link #doFilter(ServletRequest, ServletResponse, FilterChain)}.
+	 *
+	 * @deprecated see {@link WebSecurityConfiguration} for
+	 * {@link org.springframework.web.util.pattern.PathPattern} replacement
 	 */
+	@Deprecated
 	static class CompositeFilterChainProxy extends FilterChainProxy {
 
 		/**

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -16,16 +16,29 @@
 
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
 import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
 
+import org.springframework.beans.BeanMetadataElement;
+import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.support.BeanDefinitionRegistry;
+import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
+import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.DependsOn;
@@ -45,11 +58,18 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor;
 import org.springframework.security.context.DelegatingApplicationListener;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
+import org.springframework.security.web.debug.DebugFilter;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.RequestRejectedHandler;
+import org.springframework.web.filter.CompositeFilter;
+import org.springframework.web.filter.ServletRequestPathFilter;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 /**
  * Uses a {@link WebSecurity} to create the {@link FilterChainProxy} that performs the web
@@ -186,6 +206,51 @@ public class WebSecurityConfiguration implements ImportAware {
 		}
 	}
 
+	/**
+	 * Used to ensure Spring MVC request matching is cached.
+	 *
+	 * Creates a {@link BeanDefinitionRegistryPostProcessor} that detects if a bean named
+	 * HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME is defined. If so, it moves the
+	 * AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME to another bean name
+	 * and then adds a {@link CompositeFilter} that contains
+	 * {@link HandlerMappingIntrospector#createCacheFilter()} and the original
+	 * FilterChainProxy under the original Bean name.
+	 * @return
+	 */
+	@Bean
+	static BeanDefinitionRegistryPostProcessor springSecurityPathPatternParserBeanDefinitionRegistryPostProcessor() {
+		return new BeanDefinitionRegistryPostProcessor() {
+			@Override
+			public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
+			}
+
+			@Override
+			public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {
+				BeanDefinition filterChainProxy = registry
+					.getBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
+
+				if (filterChainProxy.getResolvableType().isInstance(CompositeFilterChainProxy.class)) {
+					return;
+				}
+
+				BeanDefinitionBuilder pppCacheFilterBldr = BeanDefinitionBuilder
+					.rootBeanDefinition(ServletRequestPathFilter.class)
+					.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
+
+				ManagedList<BeanMetadataElement> filters = new ManagedList<>();
+				filters.add(pppCacheFilterBldr.getBeanDefinition());
+				filters.add(filterChainProxy);
+				BeanDefinitionBuilder compositeSpringSecurityFilterChainBldr = BeanDefinitionBuilder
+					.rootBeanDefinition(CompositeFilterChainProxy.class)
+					.addConstructorArgValue(filters);
+
+				registry.removeBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
+				registry.registerBeanDefinition(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME,
+						compositeSpringSecurityFilterChainBldr.getBeanDefinition());
+			}
+		};
+	}
+
 	/**
 	 * A custom version of the Spring provided AnnotationAwareOrderComparator that uses
 	 * {@link AnnotationUtils#findAnnotation(Class, Class)} to look on super class
@@ -219,4 +284,121 @@ public class WebSecurityConfiguration implements ImportAware {
 
 	}
 
+	/**
+	 * Extends {@link FilterChainProxy} to provide as much passivity as possible but
+	 * delegates to {@link CompositeFilter} for
+	 * {@link #doFilter(ServletRequest, ServletResponse, FilterChain)}.
+	 */
+	static class CompositeFilterChainProxy extends FilterChainProxy {
+
+		/**
+		 * Used for {@link #doFilter(ServletRequest, ServletResponse, FilterChain)}
+		 */
+		private final Filter doFilterDelegate;
+
+		private final FilterChainProxy springSecurityFilterChain;
+
+		/**
+		 * Creates a new instance
+		 * @param filters the Filters to delegate to. One of which must be
+		 * FilterChainProxy.
+		 */
+		CompositeFilterChainProxy(List<? extends Filter> filters) {
+			this.doFilterDelegate = createDoFilterDelegate(filters);
+			this.springSecurityFilterChain = findFilterChainProxy(filters);
+		}
+
+		@Override
+		public void afterPropertiesSet() {
+			this.springSecurityFilterChain.afterPropertiesSet();
+		}
+
+		@Override
+		public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+				throws IOException, ServletException {
+			this.doFilterDelegate.doFilter(request, response, chain);
+		}
+
+		@Override
+		public List<Filter> getFilters(String url) {
+			return this.springSecurityFilterChain.getFilters(url);
+		}
+
+		@Override
+		public List<SecurityFilterChain> getFilterChains() {
+			return this.springSecurityFilterChain.getFilterChains();
+		}
+
+		@Override
+		public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+			this.springSecurityFilterChain.setSecurityContextHolderStrategy(securityContextHolderStrategy);
+		}
+
+		@Override
+		public void setFilterChainValidator(FilterChainValidator filterChainValidator) {
+			this.springSecurityFilterChain.setFilterChainValidator(filterChainValidator);
+		}
+
+		@Override
+		public void setFilterChainDecorator(FilterChainDecorator filterChainDecorator) {
+			this.springSecurityFilterChain.setFilterChainDecorator(filterChainDecorator);
+		}
+
+		@Override
+		public void setFirewall(HttpFirewall firewall) {
+			this.springSecurityFilterChain.setFirewall(firewall);
+		}
+
+		@Override
+		public void setRequestRejectedHandler(RequestRejectedHandler requestRejectedHandler) {
+			this.springSecurityFilterChain.setRequestRejectedHandler(requestRejectedHandler);
+		}
+
+		/**
+		 * Used through reflection by Spring Security's Test support to lookup the
+		 * FilterChainProxy Filters for a specific HttpServletRequest.
+		 * @param request
+		 * @return
+		 */
+		private List<? extends Filter> getFilters(HttpServletRequest request) {
+			List<SecurityFilterChain> filterChains = this.springSecurityFilterChain.getFilterChains();
+			for (SecurityFilterChain chain : filterChains) {
+				if (chain.matches(request)) {
+					return chain.getFilters();
+				}
+			}
+			return null;
+		}
+
+		/**
+		 * Creates the Filter to delegate to for doFilter
+		 * @param filters the Filters to delegate to.
+		 * @return the Filter for doFilter
+		 */
+		private static Filter createDoFilterDelegate(List<? extends Filter> filters) {
+			CompositeFilter delegate = new CompositeFilter();
+			delegate.setFilters(filters);
+			return delegate;
+		}
+
+		/**
+		 * Find the FilterChainProxy in a List of Filter
+		 * @param filters
+		 * @return non-null FilterChainProxy
+		 * @throws IllegalStateException if the FilterChainProxy cannot be found
+		 */
+		private static FilterChainProxy findFilterChainProxy(List<? extends Filter> filters) {
+			for (Filter filter : filters) {
+				if (filter instanceof FilterChainProxy fcp) {
+					return fcp;
+				}
+				if (filter instanceof DebugFilter debugFilter) {
+					return debugFilter.getFilterChainProxy();
+				}
+			}
+			throw new IllegalStateException("Couldn't find FilterChainProxy in " + filters);
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,7 +22,9 @@ import java.util.LinkedHashMap;
 import java.util.List;
 
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
@@ -36,7 +38,14 @@ import org.springframework.util.Assert;
  * @see ChannelSecurityConfigurer
  * @see UrlAuthorizationConfigurer
  * @see ExpressionUrlAuthorizationConfigurer
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public abstract class AbstractConfigAttributeRequestMatcherRegistry<C> extends AbstractRequestMatcherRegistry<C> {
 
 	private List<UrlMapping> urlMappings = new ArrayList<>();

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -151,6 +151,7 @@ public abstract class AbstractInterceptUrlConfigurer<C extends AbstractIntercept
 		return securityInterceptor;
 	}
 
+	@Deprecated
 	public abstract class AbstractInterceptUrlRegistry<R extends AbstractInterceptUrlRegistry<R, T>, T>
 			extends AbstractConfigAttributeRequestMatcherRegistry<T> {
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java

@@ -21,6 +21,7 @@ import java.util.UUID;
 
 import org.springframework.security.authentication.AnonymousAuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -57,7 +58,7 @@ public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#anonymous()
+	 * @see HttpSecurity#anonymous(Customizer)
 	 */
 	public AnonymousConfigurer() {
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -231,17 +231,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 			return this;
 		}
 
-		/**
-		 * Return the {@link HttpSecurityBuilder} when done using the
-		 * {@link AuthorizeHttpRequestsConfigurer}. This is useful for method chaining.
-		 * @return the {@link HttpSecurityBuilder} for further customizations
-		 * @deprecated For removal in 7.0. Use the lambda based configuration instead.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public H and() {
-			return AuthorizeHttpRequestsConfigurer.this.and();
-		}
-
 	}
 
 	/**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java

@@ -24,10 +24,7 @@ import java.util.List;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
-import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
-import org.springframework.security.config.annotation.SecurityBuilder;
-import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.DefaultRedirectStrategy;
@@ -96,7 +93,7 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#requiresChannel()
+	 * @see HttpSecurity#requiresChannel(Customizer)
 	 */
 	public ChannelSecurityConfigurer(ApplicationContext context) {
 		this.REGISTRY = new ChannelRequestMatcherRegistry(context);
@@ -207,18 +204,6 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Return the {@link SecurityBuilder} when done using the
-		 * {@link SecurityConfigurer}. This is useful for method chaining.
-		 * @return the type of {@link HttpSecurityBuilder} that is being configured
-		 * @deprecated For removal in 7.0. Use
-		 * {@link HttpSecurity#requiresChannel(Customizer)} instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public H and() {
-			return ChannelSecurityConfigurer.this.and();
-		}
-
 	}
 
 	/**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java

@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.web.configurers;
 
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.util.Assert;
@@ -57,7 +58,7 @@ public class CorsConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHt
 	/**
 	 * Creates a new instance
 	 *
-	 * @see HttpSecurity#cors()
+	 * @see HttpSecurity#cors(Customizer)
 	 */
 	public CorsConfigurer() {
 	}
@@ -107,15 +108,14 @@ public class CorsConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHt
 		 * @return
 		 */
 		private static CorsFilter getMvcCorsFilter(ApplicationContext context) {
-			if (!context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
-				throw new NoSuchBeanDefinitionException(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, "A Bean named "
-						+ HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME + " of type "
-						+ HandlerMappingIntrospector.class.getName()
-						+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
+			if (context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
+				CorsConfigurationSource corsConfigurationSource = context
+					.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, CorsConfigurationSource.class);
+				return new CorsFilter(corsConfigurationSource);
 			}
-			HandlerMappingIntrospector mappingIntrospector = context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
-					HandlerMappingIntrospector.class);
-			return new CorsFilter(mappingIntrospector);
+			throw new NoSuchBeanDefinitionException(CorsConfigurationSource.class,
+					"Failed to find a bean that implements `CorsConfigurationSource`. Please ensure that you are using "
+							+ "`@EnableWebMvc`, are publishing a `WebMvcConfigurer`, or are publishing a `CorsConfigurationSource` bean.");
 		}
 
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,12 +19,15 @@ package org.springframework.security.config.annotation.web.configurers;
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.function.Supplier;
 
 import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -34,13 +37,17 @@ import org.springframework.security.web.access.CompositeAccessDeniedHandler;
 import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
 import org.springframework.security.web.access.ObservationMarkingAccessDeniedHandler;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfLogoutHandler;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
 import org.springframework.security.web.session.InvalidSessionStrategy;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
@@ -48,6 +55,7 @@ import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * Adds
@@ -96,7 +104,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#csrf()
+	 * @see HttpSecurity#csrf(Customizer)
 	 */
 	public CsrfConfigurer(ApplicationContext context) {
 		this.context = context;
@@ -156,16 +164,16 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 *
 	 * <pre>
 	 * http
-	 *     .csrf()
-	 *         .ignoringRequestMatchers((request) -&gt; "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
-	 *         .and()
+	 *     .csrf((csrf) -&gt; csrf
+	 *         .ignoringRequestMatchers((request) -&gt; "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))))
 	 *     ...
 	 * </pre>
 	 *
 	 * @since 5.1
 	 */
 	public CsrfConfigurer<H> ignoringRequestMatchers(RequestMatcher... requestMatchers) {
-		return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers).and();
+		new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers);
+		return this;
 	}
 
 	/**
@@ -184,9 +192,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 *
 	 * <pre>
 	 * http
-	 *     .csrf()
-	 *         .ignoringRequestMatchers("/sockjs/**")
-	 *         .and()
+	 *     .csrf((csrf) -&gt; csrf
+	 *         .ignoringRequestMatchers("/sockjs/**"))
 	 *     ...
 	 * </pre>
 	 *
@@ -194,7 +201,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @see AbstractRequestMatcherRegistry#requestMatchers(String...)
 	 */
 	public CsrfConfigurer<H> ignoringRequestMatchers(String... patterns) {
-		return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns).and();
+		new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns);
+		return this;
 	}
 
 	/**
@@ -214,6 +222,21 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}
 
+	/**
+	 * <p>
+	 * Sensible CSRF defaults when used in combination with a single page application.
+	 * Creates a cookie-based token repository and a custom request handler to resolve the
+	 * actual token value instead of the encoded token.
+	 * </p>
+	 * @return the {@link CsrfConfigurer} for further customizations
+	 * @since 7.0
+	 */
+	public CsrfConfigurer<H> spa() {
+		this.csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
+		this.requestHandler = new SpaCsrfTokenRequestHandler();
+		return this;
+	}
+
 	@SuppressWarnings("unchecked")
 	@Override
 	public void configure(H http) {
@@ -363,10 +386,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 			setApplicationContext(context);
 		}
 
-		CsrfConfigurer<H> and() {
-			return CsrfConfigurer.this;
-		}
-
 		@Override
 		protected IgnoreCsrfProtectionRegistry chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			CsrfConfigurer.this.ignoredCsrfProtectionMatchers.addAll(requestMatchers);
@@ -375,4 +394,27 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
+	private static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
+
+		private final CsrfTokenRequestAttributeHandler plain = new CsrfTokenRequestAttributeHandler();
+
+		private final CsrfTokenRequestAttributeHandler xor = new XorCsrfTokenRequestAttributeHandler();
+
+		SpaCsrfTokenRequestHandler() {
+			this.xor.setCsrfRequestAttributeName(null);
+		}
+
+		@Override
+		public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
+			this.xor.handle(request, response, csrfToken);
+		}
+
+		@Override
+		public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
+			String headerValue = request.getHeader(csrfToken.getHeaderName());
+			return (StringUtils.hasText(headerValue) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java

@@ -33,13 +33,6 @@ import org.springframework.security.web.csrf.CsrfToken;
  * Adds a Filter that will generate a login page if one is not specified otherwise when
  * using {@link EnableWebSecurity}.
  *
- * <p>
- * By default an
- * {@link org.springframework.security.web.access.channel.InsecureChannelProcessor} and a
- * {@link org.springframework.security.web.access.channel.SecureChannelProcessor} will be
- * registered.
- * </p>
- *
  * <h2>Security Filters</h2>
  *
  * The following Filters are conditionally populated
@@ -58,8 +51,6 @@ import org.springframework.security.web.csrf.CsrfToken;
  * The following shared objects are used:
  *
  * <ul>
- * <li>{@link org.springframework.security.web.PortMapper} is used to create the default
- * {@link org.springframework.security.web.access.channel.ChannelProcessor} instances</li>
  * <li>{@link FormLoginConfigurer} is used to determine if the
  * {@link DefaultLoginPageConfigurer} should be added and how to configure it.</li>
  * </ul>

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java

@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.web.configurers;
 
 import java.util.LinkedHashMap;
 
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -76,7 +77,7 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#exceptionHandling()
+	 * @see HttpSecurity#exceptionHandling(Customizer)
 	 */
 	public ExceptionHandlingConfigurer() {
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -77,7 +78,7 @@ import org.springframework.util.StringUtils;
  * @author Yanming Zhou
  * @author Ngoc Nhan
  * @since 3.2
- * @see org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests()
+ * @see org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests(Customizer)
  * @deprecated Use {@link AuthorizeHttpRequestsConfigurer} instead
  */
 @Deprecated
@@ -104,7 +105,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#authorizeRequests()
+	 * @see HttpSecurity#authorizeRequests(Customizer)
 	 */
 	public ExpressionUrlAuthorizationConfigurer(ApplicationContext context) {
 		GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBeanProvider(GrantedAuthorityDefaults.class)
@@ -202,6 +203,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		return "hasIpAddress('" + ipAddressExpression + "')";
 	}
 
+	@Deprecated
 	public final class ExpressionInterceptUrlRegistry extends
 			ExpressionUrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<ExpressionInterceptUrlRegistry, AuthorizedUrl> {
 
@@ -249,7 +251,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		}
 
 		public H and() {
-			return ExpressionUrlAuthorizationConfigurer.this.and();
+			return ExpressionUrlAuthorizationConfigurer.this.getBuilder();
 		}
 
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -17,6 +17,7 @@
 package org.springframework.security.config.annotation.web.configurers;
 
 import org.springframework.http.HttpMethod;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.RequestMatcherFactory;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -74,7 +75,7 @@ public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#formLogin()
+	 * @see HttpSecurity#formLogin(Customizer)
 	 */
 	public FormLoginConfigurer() {
 		super(new UsernamePasswordAuthenticationFilter(), null);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -111,7 +111,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	/**
 	 * Creates a new instance
 	 *
-	 * @see HttpSecurity#headers()
+	 * @see HttpSecurity#headers(Customizer)
 	 */
 	public HeadersConfigurer() {
 	}
@@ -127,26 +127,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}
 
-	/**
-	 * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the
-	 * <a href= "https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx"
-	 * >X-Content-Type-Options</a>:
-	 *
-	 * <pre>
-	 * X-Content-Type-Options: nosniff
-	 * </pre>
-	 * @return the {@link ContentTypeOptionsConfig} for additional customizations
-	 * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)} or
-	 * {@code contentTypeOptions(Customizer.withDefaults())} to stick with defaults. See
-	 * the <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ContentTypeOptionsConfig contentTypeOptions() {
-		return this.contentTypeOptions.enable();
-	}
-
 	/**
 	 * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the
 	 * <a href= "https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx"
@@ -164,26 +144,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * <strong>Note this is not comprehensive XSS protection!</strong>
-	 *
-	 * <p>
-	 * Allows customizing the {@link XXssProtectionHeaderWriter} which adds the <a href=
-	 * "https://web.archive.org/web/20160201174302/https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx"
-	 * >X-XSS-Protection header</a>
-	 * </p>
-	 * @return the {@link XXssConfig} for additional customizations
-	 * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} or
-	 * {@code xssProtection(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public XXssConfig xssProtection() {
-		return this.xssProtection.enable();
-	}
-
 	/**
 	 * <strong>Note this is not comprehensive XSS protection!</strong>
 	 *
@@ -201,26 +161,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * Allows customizing the {@link CacheControlHeadersWriter}. Specifically it adds the
-	 * following headers:
-	 * <ul>
-	 * <li>Cache-Control: no-cache, no-store, max-age=0, must-revalidate</li>
-	 * <li>Pragma: no-cache</li>
-	 * <li>Expires: 0</li>
-	 * </ul>
-	 * @return the {@link CacheControlConfig} for additional customizations
-	 * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} or
-	 * {@code cacheControl(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public CacheControlConfig cacheControl() {
-		return this.cacheControl.enable();
-	}
-
 	/**
 	 * Allows customizing the {@link CacheControlHeadersWriter}. Specifically it adds the
 	 * following headers:
@@ -238,19 +178,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * Allows customizing the {@link HstsHeaderWriter} which provides support for
-	 * <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security
-	 * (HSTS)</a>.
-	 * @return the {@link HstsConfig} for additional customizations
-	 * @deprecated For removal in 7.0. Use
-	 * {@link #httpStrictTransportSecurity(Customizer)} instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public HstsConfig httpStrictTransportSecurity() {
-		return this.hsts.enable();
-	}
-
 	/**
 	 * Allows customizing the {@link HstsHeaderWriter} which provides support for
 	 * <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security
@@ -264,20 +191,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * Allows customizing the {@link XFrameOptionsHeaderWriter}.
-	 * @return the {@link FrameOptionsConfig} for additional customizations
-	 * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} or
-	 * {@code frameOptions(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public FrameOptionsConfig frameOptions() {
-		return this.frameOptions.enable();
-	}
-
 	/**
 	 * Allows customizing the {@link XFrameOptionsHeaderWriter}.
 	 * @param frameOptionsCustomizer the {@link Customizer} to provide more options for
@@ -289,21 +202,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * Allows customizing the {@link HpkpHeaderWriter} which provides support for
-	 * <a href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP)</a>.
-	 * @return the {@link HpkpConfig} for additional customizations
-	 *
-	 * @since 4.1
-	 * @deprecated see <a href=
-	 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
-	 * and Public Key Pinning</a> for more context
-	 */
-	@Deprecated
-	public HpkpConfig httpPublicKeyPinning() {
-		return this.hpkp.enable();
-	}
-
 	/**
 	 * Allows customizing the {@link HpkpHeaderWriter} which provides support for
 	 * <a href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP)</a>.
@@ -320,39 +218,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * <p>
-	 * Allows configuration for <a href="https://www.w3.org/TR/CSP2/">Content Security
-	 * Policy (CSP) Level 2</a>.
-	 * </p>
-	 *
-	 * <p>
-	 * Calling this method automatically enables (includes) the Content-Security-Policy
-	 * header in the response using the supplied security policy directive(s).
-	 * </p>
-	 *
-	 * <p>
-	 * Configuration is provided to the {@link ContentSecurityPolicyHeaderWriter} which
-	 * supports the writing of the two headers as detailed in the W3C Candidate
-	 * Recommendation:
-	 * </p>
-	 * <ul>
-	 * <li>Content-Security-Policy</li>
-	 * <li>Content-Security-Policy-Report-Only</li>
-	 * </ul>
-	 * @return the {@link ContentSecurityPolicyConfig} for additional configuration
-	 * @throws IllegalArgumentException if policyDirectives is null or empty
-	 * @since 4.1
-	 * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)}
-	 * instead
-	 * @see ContentSecurityPolicyHeaderWriter
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives) {
-		this.contentSecurityPolicy.writer = new ContentSecurityPolicyHeaderWriter(policyDirectives);
-		return this.contentSecurityPolicy;
-	}
-
 	/**
 	 * <p>
 	 * Allows configuration for <a href="https://www.w3.org/TR/CSP2/">Content Security
@@ -454,71 +319,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		}
 	}
 
-	/**
-	 * <p>
-	 * Allows configuration for <a href="https://www.w3.org/TR/referrer-policy/">Referrer
-	 * Policy</a>.
-	 * </p>
-	 *
-	 * <p>
-	 * Configuration is provided to the {@link ReferrerPolicyHeaderWriter} which support
-	 * the writing of the header as detailed in the W3C Technical Report:
-	 * </p>
-	 * <ul>
-	 * <li>Referrer-Policy</li>
-	 * </ul>
-	 *
-	 * <p>
-	 * Default value is:
-	 * </p>
-	 *
-	 * <pre>
-	 * Referrer-Policy: no-referrer
-	 * </pre>
-	 * @return the {@link ReferrerPolicyConfig} for additional configuration
-	 * @since 4.2
-	 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or
-	 * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 * @see ReferrerPolicyHeaderWriter
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ReferrerPolicyConfig referrerPolicy() {
-		this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter();
-		return this.referrerPolicy;
-	}
-
-	/**
-	 * <p>
-	 * Allows configuration for <a href="https://www.w3.org/TR/referrer-policy/">Referrer
-	 * Policy</a>.
-	 * </p>
-	 *
-	 * <p>
-	 * Configuration is provided to the {@link ReferrerPolicyHeaderWriter} which support
-	 * the writing of the header as detailed in the W3C Technical Report:
-	 * </p>
-	 * <ul>
-	 * <li>Referrer-Policy</li>
-	 * </ul>
-	 * @return the {@link ReferrerPolicyConfig} for additional configuration
-	 * @throws IllegalArgumentException if policy is null or empty
-	 * @since 4.2
-	 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or
-	 * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 * @see ReferrerPolicyHeaderWriter
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ReferrerPolicyConfig referrerPolicy(ReferrerPolicy policy) {
-		this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter(policy);
-		return this.referrerPolicy;
-	}
-
 	/**
 	 * <p>
 	 * Allows configuration for <a href="https://www.w3.org/TR/referrer-policy/">Referrer
@@ -568,35 +368,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return this.featurePolicy;
 	}
 
-	/**
-	 * <p>
-	 * Allows configuration for
-	 * <a href="https://w3c.github.io/webappsec-permissions-policy/">Permissions
-	 * Policy</a>.
-	 * </p>
-	 *
-	 * <p>
-	 * Configuration is provided to the {@link PermissionsPolicyHeaderWriter} which
-	 * support the writing of the header as detailed in the W3C Technical Report:
-	 * </p>
-	 * <ul>
-	 * <li>Permissions-Policy</li>
-	 * </ul>
-	 * @return the {@link PermissionsPolicyConfig} for additional configuration
-	 * @since 5.5
-	 * @deprecated For removal in 7.0. Use {@link #permissionsPolicyHeader(Customizer)} or
-	 * {@code permissionsPolicy(Customizer.withDefaults())} to stick with defaults. See
-	 * the <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 * @see PermissionsPolicyHeaderWriter
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public PermissionsPolicyConfig permissionsPolicy() {
-		this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter();
-		return this.permissionsPolicy;
-	}
-
 	/**
 	 * Allows configuration for
 	 * <a href="https://w3c.github.io/webappsec-permissions-policy/"> Permissions
@@ -643,26 +414,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}
 
-	/**
-	 * Allows configuration for <a href=
-	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy">
-	 * Cross-Origin-Opener-Policy</a> header.
-	 * <p>
-	 * Configuration is provided to the {@link CrossOriginOpenerPolicyHeaderWriter} which
-	 * responsible for writing the header.
-	 * </p>
-	 * @return the {@link CrossOriginOpenerPolicyConfig} for additional confniguration
-	 * @since 5.7
-	 * @deprecated For removal in 7.0. Use {@link #crossOriginOpenerPolicy(Customizer)}
-	 * instead
-	 * @see CrossOriginOpenerPolicyHeaderWriter
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy() {
-		this.crossOriginOpenerPolicy.writer = new CrossOriginOpenerPolicyHeaderWriter();
-		return this.crossOriginOpenerPolicy;
-	}
-
 	/**
 	 * Allows configuration for <a href=
 	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy">
@@ -687,26 +438,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * Allows configuration for <a href=
-	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy">
-	 * Cross-Origin-Embedder-Policy</a> header.
-	 * <p>
-	 * Configuration is provided to the {@link CrossOriginEmbedderPolicyHeaderWriter}
-	 * which is responsible for writing the header.
-	 * </p>
-	 * @return the {@link CrossOriginEmbedderPolicyConfig} for additional customizations
-	 * @since 5.7
-	 * @deprecated For removal in 7.0. Use {@link #crossOriginEmbedderPolicy(Customizer)}
-	 * instead
-	 * @see CrossOriginEmbedderPolicyHeaderWriter
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy() {
-		this.crossOriginEmbedderPolicy.writer = new CrossOriginEmbedderPolicyHeaderWriter();
-		return this.crossOriginEmbedderPolicy;
-	}
-
 	/**
 	 * Allows configuration for <a href=
 	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy">
@@ -731,26 +462,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		return HeadersConfigurer.this;
 	}
 
-	/**
-	 * Allows configuration for <a href=
-	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy">
-	 * Cross-Origin-Resource-Policy</a> header.
-	 * <p>
-	 * Configuration is provided to the {@link CrossOriginResourcePolicyHeaderWriter}
-	 * which is responsible for writing the header:
-	 * </p>
-	 * @return the {@link HeadersConfigurer} for additional customizations
-	 * @since 5.7
-	 * @deprecated For removal in 7.0. Use {@link #crossOriginResourcePolicy(Customizer)}
-	 * instead
-	 * @see CrossOriginResourcePolicyHeaderWriter
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public CrossOriginResourcePolicyConfig crossOriginResourcePolicy() {
-		this.crossOriginResourcePolicy.writer = new CrossOriginResourcePolicyHeaderWriter();
-		return this.crossOriginResourcePolicy;
-	}
-
 	/**
 	 * Allows configuration for <a href=
 	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy">
@@ -789,17 +500,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 */
 		public HeadersConfigurer<H> disable() {
 			this.writer = null;
-			return and();
-		}
-
-		/**
-		 * Allows customizing the {@link HeadersConfigurer}
-		 * @return the {@link HeadersConfigurer} for additional customization
-		 * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
 
@@ -864,21 +564,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 */
 		public HeadersConfigurer<H> disable() {
 			this.writer = null;
-			return and();
-		}
-
-		/**
-		 * Allows completing configuration of X-XSS-Protection and continuing
-		 * configuration of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} or
-		 * {@code xssProtection(Customizer.withDefaults())} to stick with defaults. See
-		 * the <a href=
-		 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-		 * for more details.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
 
@@ -912,21 +597,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return HeadersConfigurer.this;
 		}
 
-		/**
-		 * Allows completing configuration of Cache Control and continuing configuration
-		 * of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} or
-		 * {@code cacheControl(Customizer.withDefaults())} to stick with defaults. See the
-		 * <a href=
-		 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-		 * for more details.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 		/**
 		 * Ensures the Cache Control headers are enabled if they are not already.
 		 * @return the {@link CacheControlConfig} for additional customization
@@ -1024,18 +694,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return HeadersConfigurer.this;
 		}
 
-		/**
-		 * Allows completing configuration of Strict Transport Security and continuing
-		 * configuration of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use
-		 * {@link #httpStrictTransportSecurity(Customizer)} instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 		/**
 		 * Ensures that Strict-Transport-Security is enabled if it is not already
 		 * @return the {@link HstsConfig} for additional customization
@@ -1063,7 +721,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 */
 		public HeadersConfigurer<H> deny() {
 			this.writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY);
-			return and();
+			return HeadersConfigurer.this;
 		}
 
 		/**
@@ -1077,7 +735,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 */
 		public HeadersConfigurer<H> sameOrigin() {
 			this.writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN);
-			return and();
+			return HeadersConfigurer.this;
 		}
 
 		/**
@@ -1086,20 +744,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 */
 		public HeadersConfigurer<H> disable() {
 			this.writer = null;
-			return and();
-		}
-
-		/**
-		 * Allows continuing customizing the headers configuration.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} or
-		 * {@code frameOptions(Customizer.withDefaults())} to stick with defaults. See the
-		 * <a href=
-		 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-		 * for more details.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
 
@@ -1317,18 +961,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Allows completing configuration of Content Security Policy and continuing
-		 * configuration of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 	}
 
 	public final class ReferrerPolicyConfig {
@@ -1349,18 +981,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or
-		 * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See
-		 * the <a href=
-		 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-		 * for more details.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 	}
 
 	public final class FeaturePolicyConfig {
@@ -1399,18 +1019,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Allows completing configuration of Permissions Policy and continuing
-		 * configuration of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 	}
 
 	public final class CrossOriginOpenerPolicyConfig {
@@ -1432,18 +1040,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Allows completing configuration of Cross Origin Opener Policy and continuing
-		 * configuration of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use
-		 * {@link #crossOriginOpenerPolicy(Customizer)} instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 	}
 
 	public final class CrossOriginEmbedderPolicyConfig {
@@ -1466,18 +1062,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Allows completing configuration of Cross-Origin-Embedder-Policy and continuing
-		 * configuration of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use
-		 * {@link #crossOriginEmbedderPolicy(Customizer)} instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 	}
 
 	public final class CrossOriginResourcePolicyConfig {
@@ -1500,18 +1084,6 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Allows completing configuration of Cross-Origin-Resource-Policy and continuing
-		 * configuration of headers.
-		 * @return the {@link HeadersConfigurer} for additional configuration
-		 * @deprecated For removal in 7.0. Use
-		 * {@link #crossOriginResourcePolicy(Customizer)} instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public HeadersConfigurer<H> and() {
-			return HeadersConfigurer.this;
-		}
-
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -26,6 +26,7 @@ import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -98,7 +99,7 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#httpBasic()
+	 * @see HttpSecurity#httpBasic(Customizer)
 	 */
 	public HttpBasicConfigurer() {
 		realmName(DEFAULT_REALM);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurer.java

@@ -22,6 +22,7 @@ import java.util.Set;
 import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.authority.mapping.SimpleMappableAttributesRetriever;
@@ -77,7 +78,7 @@ public final class JeeConfigurer<H extends HttpSecurityBuilder<H>> extends Abstr
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#jee()
+	 * @see HttpSecurity#jee(Customizer)
 	 */
 	public JeeConfigurer() {
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ import java.util.List;
 import jakarta.servlet.http.HttpSession;
 
 import org.springframework.http.HttpMethod;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.RequestMatcherFactory;
@@ -92,7 +93,7 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#logout()
+	 * @see HttpSecurity#logout(Customizer)
 	 */
 	public LogoutConfigurer() {
 	}
@@ -145,12 +146,12 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 	 * (i.e. log out) to protect against
 	 * <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF
 	 * attacks</a>. If you really want to use an HTTP GET, you can use
-	 * <code>logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));</code>
+	 * <code>logoutRequestMatcher(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GEt, logoutUrl));</code>
 	 * </p>
 	 * @param logoutUrl the URL that will invoke logout.
 	 * @return the {@link LogoutConfigurer} for further customization
 	 * @see #logoutRequestMatcher(RequestMatcher)
-	 * @see HttpSecurity#csrf()
+	 * @see HttpSecurity#csrf(Customizer)
 	 */
 	public LogoutConfigurer<H> logoutUrl(String logoutUrl) {
 		this.logoutRequestMatcher = null;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -70,7 +71,7 @@ public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#securityContext()
+	 * @see HttpSecurity#securityContext(Customizer)
 	 */
 	public SecurityContextConfigurer() {
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java

@@ -23,6 +23,7 @@ import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
@@ -66,7 +67,7 @@ public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#servletApi()
+	 * @see HttpSecurity#servletApi(Customizer)
 	 */
 	public ServletApiConfigurer() {
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -152,7 +152,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 	 * Creates a new instance
-	 * @see HttpSecurity#sessionManagement()
+	 * @see HttpSecurity#sessionManagement(Customizer)
 	 */
 	public SessionManagementConfigurer() {
 	}
@@ -775,17 +775,6 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
-		/**
-		 * Used to chain back to the {@link SessionManagementConfigurer}
-		 * @return the {@link SessionManagementConfigurer} for further customizations
-		 * @deprecated For removal in 7.0. Use {@link #sessionConcurrency(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public SessionManagementConfigurer<H> and() {
-			return SessionManagementConfigurer.this;
-		}
-
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -203,6 +203,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		return authorities;
 	}
 
+	@Deprecated
 	public final class StandardInterceptUrlRegistry extends
 			UrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<StandardInterceptUrlRegistry, AuthorizedUrl> {
 
@@ -247,7 +248,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		}
 
 		public H and() {
-			return UrlAuthorizationConfigurer.this.and();
+			return UrlAuthorizationConfigurer.this.getBuilder();
 		}
 
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java

@@ -46,6 +46,7 @@ import org.springframework.security.web.webauthn.registration.DefaultWebAuthnReg
 import org.springframework.security.web.webauthn.registration.PublicKeyCredentialCreationOptionsFilter;
 import org.springframework.security.web.webauthn.registration.PublicKeyCredentialCreationOptionsRepository;
 import org.springframework.security.web.webauthn.registration.WebAuthnRegistrationFilter;
+import org.springframework.util.Assert;
 
 /**
  * Configures WebAuthn for Spring Security applications
@@ -75,6 +76,7 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link WebAuthnConfigurer} for further customization
 	 */
 	public WebAuthnConfigurer<H> rpId(String rpId) {
+		Assert.hasText(rpId, "rpId be null or empty");
 		this.rpId = rpId;
 		return this;
 	}
@@ -85,6 +87,7 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link WebAuthnConfigurer} for further customization
 	 */
 	public WebAuthnConfigurer<H> rpName(String rpName) {
+		Assert.hasText(rpName, "rpName can't be null or empty");
 		this.rpName = rpName;
 		return this;
 	}
@@ -106,6 +109,7 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @see #allowedOrigins(String...)
 	 */
 	public WebAuthnConfigurer<H> allowedOrigins(Set<String> allowedOrigins) {
+		Assert.notNull(allowedOrigins, "allowedOrigins can't be null");
 		this.allowedOrigins = allowedOrigins;
 		return this;
 	}
@@ -129,6 +133,7 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link WebAuthnConfigurer} for further customization
 	 */
 	public WebAuthnConfigurer<H> messageConverter(HttpMessageConverter<Object> converter) {
+		Assert.notNull(converter, "converter can't be null");
 		this.converter = converter;
 		return this;
 	}
@@ -140,15 +145,15 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 	 */
 	public WebAuthnConfigurer<H> creationOptionsRepository(
 			PublicKeyCredentialCreationOptionsRepository creationOptionsRepository) {
+		Assert.notNull(creationOptionsRepository, "creationOptionsRepository can't be null");
 		this.creationOptionsRepository = creationOptionsRepository;
 		return this;
 	}
 
 	@Override
 	public void configure(H http) throws Exception {
-		UserDetailsService userDetailsService = getSharedOrBean(http, UserDetailsService.class).orElseGet(() -> {
-			throw new IllegalStateException("Missing UserDetailsService Bean");
-		});
+		UserDetailsService userDetailsService = getSharedOrBean(http, UserDetailsService.class)
+			.orElseThrow(() -> new IllegalStateException("Missing UserDetailsService Bean"));
 		PublicKeyCredentialUserEntityRepository userEntities = getSharedOrBean(http,
 				PublicKeyCredentialUserEntityRepository.class)
 			.orElse(userEntityRepository());
@@ -238,12 +243,9 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 			PublicKeyCredentialUserEntityRepository userEntities, UserCredentialRepository userCredentials) {
 		Optional<WebAuthnRelyingPartyOperations> webauthnOperationsBean = getBeanOrNull(
 				WebAuthnRelyingPartyOperations.class);
-		if (webauthnOperationsBean.isPresent()) {
-			return webauthnOperationsBean.get();
-		}
-		Webauthn4JRelyingPartyOperations result = new Webauthn4JRelyingPartyOperations(userEntities, userCredentials,
-				PublicKeyCredentialRpEntity.builder().id(this.rpId).name(this.rpName).build(), this.allowedOrigins);
-		return result;
+		return webauthnOperationsBean.orElseGet(() -> new Webauthn4JRelyingPartyOperations(userEntities,
+				userCredentials, PublicKeyCredentialRpEntity.builder().id(this.rpId).name(this.rpName).build(),
+				this.allowedOrigins));
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@ import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.Authentication;
@@ -90,7 +91,7 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>>
 	/**
 	 * Creates a new instance
 	 *
-	 * @see HttpSecurity#x509()
+	 * @see HttpSecurity#x509(Customizer)
 	 */
 	public X509Configurer() {
 	}
@@ -161,7 +162,10 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>>
 	 * @param subjectPrincipalRegex the regex to extract the user principal from the
 	 * certificate (i.e. "CN=(.*?)(?:,|$)").
 	 * @return the {@link X509Configurer} for further customizations
+	 * @deprecated Please use {{@link #x509PrincipalExtractor(X509PrincipalExtractor)}
+	 * instead
 	 */
+	@Deprecated
 	public X509Configurer<H> subjectPrincipalRegex(String subjectPrincipalRegex) {
 		SubjectDnX509PrincipalExtractor principalExtractor = new SubjectDnX509PrincipalExtractor();
 		principalExtractor.setSubjectDnRegex(subjectPrincipalRegex);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java

@@ -141,18 +141,6 @@ public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>>
 		return this;
 	}
 
-	/**
-	 * Returns the {@link AuthorizationCodeGrantConfigurer} for configuring the OAuth 2.0
-	 * Authorization Code Grant.
-	 * @return the {@link AuthorizationCodeGrantConfigurer}
-	 * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)}
-	 * instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public AuthorizationCodeGrantConfigurer authorizationCodeGrant() {
-		return this.authorizationCodeGrantConfigurer;
-	}
-
 	/**
 	 * Configures the OAuth 2.0 Authorization Code Grant.
 	 * @param authorizationCodeGrantCustomizer the {@link Customizer} to provide more
@@ -242,17 +230,6 @@ public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>>
 			return this;
 		}
 
-		/**
-		 * Returns the {@link OAuth2ClientConfigurer} for further configuration.
-		 * @return the {@link OAuth2ClientConfigurer}
-		 * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public OAuth2ClientConfigurer<B> and() {
-			return OAuth2ClientConfigurer.this;
-		}
-
 		private void init(B builder) {
 			OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider = new OAuth2AuthorizationCodeAuthenticationProvider(
 					getAccessTokenResponseClient());

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -57,6 +57,7 @@ import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationC
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
 import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider;
+import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizedClientRefreshedEventListener;
 import org.springframework.security.oauth2.client.oidc.session.InMemoryOidcSessionRegistry;
 import org.springframework.security.oauth2.client.oidc.session.OidcSessionInformation;
 import org.springframework.security.oauth2.client.oidc.session.OidcSessionRegistry;
@@ -90,6 +91,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
 import org.springframework.security.web.authentication.session.SessionAuthenticationException;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
@@ -153,7 +155,7 @@ import org.springframework.util.ReflectionUtils;
  * @author Kazuki Shimizu
  * @author Ngoc Nhan
  * @since 5.0
- * @see HttpSecurity#oauth2Login()
+ * @see HttpSecurity#oauth2Login(Customizer)
  * @see OAuth2AuthorizationRequestRedirectFilter
  * @see OAuth2LoginAuthenticationFilter
  * @see ClientRegistrationRepository
@@ -244,18 +246,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		return this;
 	}
 
-	/**
-	 * Returns the {@link AuthorizationEndpointConfig} for configuring the Authorization
-	 * Server's Authorization Endpoint.
-	 * @return the {@link AuthorizationEndpointConfig}
-	 * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)}
-	 * instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public AuthorizationEndpointConfig authorizationEndpoint() {
-		return this.authorizationEndpointConfig;
-	}
-
 	/**
 	 * Configures the Authorization Server's Authorization Endpoint.
 	 * @param authorizationEndpointCustomizer the {@link Customizer} to provide more
@@ -268,21 +258,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		return this;
 	}
 
-	/**
-	 * Returns the {@link TokenEndpointConfig} for configuring the Authorization Server's
-	 * Token Endpoint.
-	 * @return the {@link TokenEndpointConfig}
-	 * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} or
-	 * {@code tokenEndpoint(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public TokenEndpointConfig tokenEndpoint() {
-		return this.tokenEndpointConfig;
-	}
-
 	/**
 	 * Configures the Authorization Server's Token Endpoint.
 	 * @param tokenEndpointCustomizer the {@link Customizer} to provide more options for
@@ -295,18 +270,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		return this;
 	}
 
-	/**
-	 * Returns the {@link RedirectionEndpointConfig} for configuring the Client's
-	 * Redirection Endpoint.
-	 * @return the {@link RedirectionEndpointConfig}
-	 * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)}
-	 * instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public RedirectionEndpointConfig redirectionEndpoint() {
-		return this.redirectionEndpointConfig;
-	}
-
 	/**
 	 * Configures the Client's Redirection Endpoint.
 	 * @param redirectionEndpointCustomizer the {@link Customizer} to provide more options
@@ -319,21 +282,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		return this;
 	}
 
-	/**
-	 * Returns the {@link UserInfoEndpointConfig} for configuring the Authorization
-	 * Server's UserInfo Endpoint.
-	 * @return the {@link UserInfoEndpointConfig}
-	 * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)} or
-	 * {@code userInfoEndpoint(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public UserInfoEndpointConfig userInfoEndpoint() {
-		return this.userInfoEndpointConfig;
-	}
-
 	/**
 	 * Configures the Authorization Server's UserInfo Endpoint.
 	 * @param userInfoEndpointCustomizer the {@link Customizer} to provide more options
@@ -349,6 +297,8 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	public void init(B http) throws Exception {
 		OAuth2LoginAuthenticationFilter authenticationFilter = new OAuth2LoginAuthenticationFilter(
 				this.getClientRegistrationRepository(), this.getAuthorizedClientRepository(), this.loginProcessingUrl);
+		RequestMatcher processUri = RequestMatcherFactory.matcher(this.loginProcessingUrl);
+		authenticationFilter.setRequiresAuthenticationRequestMatcher(processUri);
 		authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		this.setAuthenticationFilter(authenticationFilter);
 		super.loginProcessingUrl(this.loginProcessingUrl);
@@ -386,14 +336,24 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService = getOidcUserService();
 			OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider = new OidcAuthorizationCodeAuthenticationProvider(
 					accessTokenResponseClient, oidcUserService);
+			OidcAuthorizedClientRefreshedEventListener oidcAuthorizedClientRefreshedEventListener = new OidcAuthorizedClientRefreshedEventListener();
+			oidcAuthorizedClientRefreshedEventListener.setUserService(oidcUserService);
+			oidcAuthorizedClientRefreshedEventListener
+				.setApplicationEventPublisher(http.getSharedObject(ApplicationContext.class));
+
 			JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = this.getJwtDecoderFactoryBean();
 			if (jwtDecoderFactory != null) {
 				oidcAuthorizationCodeAuthenticationProvider.setJwtDecoderFactory(jwtDecoderFactory);
+				oidcAuthorizedClientRefreshedEventListener.setJwtDecoderFactory(jwtDecoderFactory);
 			}
 			if (userAuthoritiesMapper != null) {
 				oidcAuthorizationCodeAuthenticationProvider.setAuthoritiesMapper(userAuthoritiesMapper);
+				oidcAuthorizedClientRefreshedEventListener.setAuthoritiesMapper(userAuthoritiesMapper);
 			}
 			http.authenticationProvider(this.postProcess(oidcAuthorizationCodeAuthenticationProvider));
+
+			registerDelegateApplicationListener(this.postProcess(oidcAuthorizedClientRefreshedEventListener));
+			configureOidcUserRefreshedEventListener(http);
 		}
 		else {
 			http.authenticationProvider(new OidcAuthenticationRequestChecker());
@@ -420,7 +380,8 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		http.addFilter(this.postProcess(authorizationRequestFilter));
 		OAuth2LoginAuthenticationFilter authenticationFilter = this.getAuthenticationFilter();
 		if (this.redirectionEndpointConfig.authorizationResponseBaseUri != null) {
-			authenticationFilter.setFilterProcessesUrl(this.redirectionEndpointConfig.authorizationResponseBaseUri);
+			authenticationFilter.setRequiresAuthenticationRequestMatcher(
+					RequestMatcherFactory.matcher(this.redirectionEndpointConfig.authorizationResponseBaseUri));
 		}
 		if (this.authorizationEndpointConfig.authorizationRequestRepository != null) {
 			authenticationFilter
@@ -621,6 +582,16 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		registerDelegateApplicationListener(listener);
 	}
 
+	private void configureOidcUserRefreshedEventListener(B http) {
+		OidcUserRefreshedEventListener oidcUserRefreshedEventListener = new OidcUserRefreshedEventListener();
+		oidcUserRefreshedEventListener.setSecurityContextHolderStrategy(this.getSecurityContextHolderStrategy());
+		SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
+		if (securityContextRepository != null) {
+			oidcUserRefreshedEventListener.setSecurityContextRepository(securityContextRepository);
+		}
+		registerDelegateApplicationListener(oidcUserRefreshedEventListener);
+	}
+
 	private void registerDelegateApplicationListener(ApplicationListener<?> delegate) {
 		DelegatingApplicationListener delegating = getBeanOrNull(
 				ResolvableType.forType(DelegatingApplicationListener.class));
@@ -697,17 +668,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			return this;
 		}
 
-		/**
-		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
-		 * @return the {@link OAuth2LoginConfigurer}
-		 * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public OAuth2LoginConfigurer<B> and() {
-			return OAuth2LoginConfigurer.this;
-		}
-
 	}
 
 	/**
@@ -734,20 +694,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			return this;
 		}
 
-		/**
-		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
-		 * @return the {@link OAuth2LoginConfigurer}
-		 * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} or
-		 * {@code tokenEndpoint(Customizer.withDefaults())} to stick with defaults. See
-		 * the <a href=
-		 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-		 * for more details.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public OAuth2LoginConfigurer<B> and() {
-			return OAuth2LoginConfigurer.this;
-		}
-
 	}
 
 	/**
@@ -772,17 +718,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			return this;
 		}
 
-		/**
-		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
-		 * @return the {@link OAuth2LoginConfigurer}
-		 * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public OAuth2LoginConfigurer<B> and() {
-			return OAuth2LoginConfigurer.this;
-		}
-
 	}
 
 	/**
@@ -837,17 +772,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			return this;
 		}
 
-		/**
-		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
-		 * @return the {@link OAuth2LoginConfigurer}
-		 * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)}
-		 * instead
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public OAuth2LoginConfigurer<B> and() {
-			return OAuth2LoginConfigurer.this;
-		}
-
 	}
 
 	private static class OidcAuthenticationRequestChecker implements AuthenticationProvider {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutAuthenticationProvider.java

@@ -18,11 +18,6 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.cl
 
 import java.util.function.Function;
 
-import com.nimbusds.jose.JOSEObjectType;
-import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
-import com.nimbusds.jose.proc.JOSEObjectTypeVerifier;
-import com.nimbusds.jose.proc.SecurityContext;
-
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
@@ -38,6 +33,7 @@ import org.springframework.security.oauth2.jwt.BadJwtException;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
+import org.springframework.security.oauth2.jwt.JwtTypeValidator;
 import org.springframework.security.oauth2.jwt.JwtValidators;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.util.Assert;
@@ -67,8 +63,10 @@ final class OidcBackChannelLogoutAuthenticationProvider implements Authenticatio
 	 * Construct an {@link OidcBackChannelLogoutAuthenticationProvider}
 	 */
 	OidcBackChannelLogoutAuthenticationProvider() {
+		JwtTypeValidator type = new JwtTypeValidator("JWT", "logout+jwt");
+		type.setAllowEmpty(true);
 		Function<ClientRegistration, OAuth2TokenValidator<Jwt>> jwtValidator = (clientRegistration) -> JwtValidators
-			.createDefaultWithValidators(new OidcBackChannelLogoutTokenValidator(clientRegistration));
+			.createDefaultWithValidators(type, new OidcBackChannelLogoutTokenValidator(clientRegistration));
 		this.logoutTokenDecoderFactory = (clientRegistration) -> {
 			String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
 			if (!StringUtils.hasText(jwkSetUri)) {
@@ -79,11 +77,7 @@ final class OidcBackChannelLogoutAuthenticationProvider implements Authenticatio
 						null);
 				throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
 			}
-			JOSEObjectTypeVerifier<SecurityContext> typeVerifier = new DefaultJOSEObjectTypeVerifier<>(null,
-					JOSEObjectType.JWT, new JOSEObjectType("logout+jwt"));
-			NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri)
-				.jwtProcessorCustomizer((processor) -> processor.setJWSTypeVerifier(typeVerifier))
-				.build();
+			NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
 			decoder.setJwtValidator(jwtValidator.apply(clientRegistration));
 			decoder.setClaimSetConverter(OidcIdTokenDecoderFactory.createDefaultClaimTypeConverter());
 			return decoder;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutHandler.java

@@ -127,7 +127,7 @@ public final class OidcBackChannelLogoutHandler implements LogoutHandler {
 	String computeLogoutEndpoint(HttpServletRequest request, OidcBackChannelLogoutAuthentication token) {
 		// @formatter:off
 		UriComponents uriComponents = UriComponentsBuilder
-				.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
+				.fromUriString(UrlUtils.buildFullRequestUrl(request))
 				.replacePath(request.getContextPath())
 				.replaceQuery(null)
 				.fragment(null)

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutAuthenticationConverter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,13 +20,14 @@ import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.http.HttpMethod;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.web.authentication.AuthenticationConverter;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
@@ -45,7 +46,8 @@ final class OidcLogoutAuthenticationConverter implements AuthenticationConverter
 
 	private final ClientRegistrationRepository clientRegistrationRepository;
 
-	private RequestMatcher requestMatcher = new AntPathRequestMatcher(DEFAULT_LOGOUT_URI, "POST");
+	private RequestMatcher requestMatcher = PathPatternRequestMatcher.withDefaults()
+		.matcher(HttpMethod.POST, DEFAULT_LOGOUT_URI);
 
 	OidcLogoutAuthenticationConverter(ClientRegistrationRepository clientRegistrationRepository) {
 		Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java

@@ -111,11 +111,6 @@ public final class OidcLogoutConfigurer<B extends HttpSecurityBuilder<B>>
 		return this;
 	}
 
-	@Deprecated(forRemoval = true, since = "6.2")
-	public B and() {
-		return getBuilder();
-	}
-
 	@Override
 	public void configure(B builder) throws Exception {
 		if (this.backChannel != null) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcUserRefreshedEventListener.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configurers.oauth2.client;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.context.ApplicationListener;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.oauth2.client.oidc.authentication.event.OidcUserRefreshedEvent;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.util.Assert;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+/**
+ * An {@link ApplicationListener} that listens for events of type
+ * {@link OidcUserRefreshedEvent} and refreshes the {@link SecurityContext}.
+ *
+ * @author Steve Riesenberg
+ * @since 6.5
+ * @see org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizedClientRefreshedEventListener
+ */
+final class OidcUserRefreshedEventListener implements ApplicationListener<OidcUserRefreshedEvent> {
+
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+		.getContextHolderStrategy();
+
+	private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
+
+	@Override
+	public void onApplicationEvent(OidcUserRefreshedEvent event) {
+		SecurityContext securityContext = this.securityContextHolderStrategy.createEmptyContext();
+		securityContext.setAuthentication(event.getAuthentication());
+		this.securityContextHolderStrategy.setContext(securityContext);
+
+		RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+		if (!(requestAttributes instanceof ServletRequestAttributes servletRequestAttributes)) {
+			return;
+		}
+
+		HttpServletRequest request = servletRequestAttributes.getRequest();
+		HttpServletResponse response = servletRequestAttributes.getResponse();
+		this.securityContextRepository.saveContext(securityContext, request, response);
+	}
+
+	/**
+	 * Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use
+	 * the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}.
+	 * @param securityContextHolderStrategy the {@link SecurityContextHolderStrategy} to
+	 * use
+	 */
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
+	/**
+	 * Sets the {@link SecurityContextRepository} to save the {@link SecurityContext} upon
+	 * receiving an {@link OidcUserRefreshedEvent}.
+	 * @param securityContextRepository the {@link SecurityContextRepository} to use
+	 */
+	void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
+		Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
+		this.securityContextRepository = securityContextRepository;
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer.java

@@ -17,39 +17,54 @@
 package org.springframework.security.config.annotation.web.configurers.oauth2.server.resource;
 
 import java.util.Collections;
+import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationProvider;
 import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationFilter;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 /**
+ * An {@link AbstractHttpConfigurer} for OAuth 2.0 Demonstrating Proof of Possession
+ * (DPoP) support.
+ *
  * @author Joe Grandja
  * @since 6.5
  * @see DPoPAuthenticationProvider
+ * @see <a target="_blank" href="https://datatracker.ietf.org/doc/html/rfc9449">RFC 9449
+ * OAuth 2.0 Demonstrating Proof of Possession (DPoP)</a>
  */
 final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
 		extends AbstractHttpConfigurer<DPoPAuthenticationConfigurer<B>, B> {
@@ -65,7 +80,7 @@ final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
 	@Override
 	public void configure(B http) {
 		AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
-		http.authenticationProvider(new DPoPAuthenticationProvider(authenticationManager));
+		http.authenticationProvider(new DPoPAuthenticationProvider(getTokenAuthenticationManager(http)));
 		AuthenticationFilter authenticationFilter = new AuthenticationFilter(authenticationManager,
 				getAuthenticationConverter());
 		authenticationFilter.setRequestMatcher(getRequestMatcher());
@@ -76,6 +91,23 @@ final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
 		http.addFilter(authenticationFilter);
 	}
 
+	private AuthenticationManager getTokenAuthenticationManager(B http) {
+		OAuth2ResourceServerConfigurer<B> resourceServerConfigurer = http
+			.getConfigurer(OAuth2ResourceServerConfigurer.class);
+		final AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver = resourceServerConfigurer
+			.getAuthenticationManagerResolver();
+		if (authenticationManagerResolver == null) {
+			return resourceServerConfigurer.getAuthenticationManager(http);
+		}
+		return (authentication) -> {
+			RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+			ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) requestAttributes;
+			AuthenticationManager authenticationManager = authenticationManagerResolver
+				.resolve(servletRequestAttributes.getRequest());
+			return authenticationManager.authenticate(authentication);
+		};
+	}
+
 	private RequestMatcher getRequestMatcher() {
 		if (this.requestMatcher == null) {
 			this.requestMatcher = new DPoPRequestMatcher();
@@ -102,7 +134,7 @@ final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
 	private AuthenticationFailureHandler getAuthenticationFailureHandler() {
 		if (this.authenticationFailureHandler == null) {
 			this.authenticationFailureHandler = new AuthenticationEntryPointFailureHandler(
-					new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+					new DPoPAuthenticationEntryPoint());
 		}
 		return this.authenticationFailureHandler;
 	}
@@ -161,4 +193,47 @@ final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
 
 	}
 
+	private static final class DPoPAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
+		@Override
+		public void commence(HttpServletRequest request, HttpServletResponse response,
+				AuthenticationException authenticationException) {
+			Map<String, String> parameters = new LinkedHashMap<>();
+			if (authenticationException instanceof OAuth2AuthenticationException oauth2AuthenticationException) {
+				OAuth2Error error = oauth2AuthenticationException.getError();
+				parameters.put(OAuth2ParameterNames.ERROR, error.getErrorCode());
+				if (StringUtils.hasText(error.getDescription())) {
+					parameters.put(OAuth2ParameterNames.ERROR_DESCRIPTION, error.getDescription());
+				}
+				if (StringUtils.hasText(error.getUri())) {
+					parameters.put(OAuth2ParameterNames.ERROR_URI, error.getUri());
+				}
+			}
+			parameters.put("algs",
+					JwsAlgorithms.RS256 + " " + JwsAlgorithms.RS384 + " " + JwsAlgorithms.RS512 + " "
+							+ JwsAlgorithms.PS256 + " " + JwsAlgorithms.PS384 + " " + JwsAlgorithms.PS512 + " "
+							+ JwsAlgorithms.ES256 + " " + JwsAlgorithms.ES384 + " " + JwsAlgorithms.ES512);
+			String wwwAuthenticate = toWWWAuthenticateHeader(parameters);
+			response.addHeader(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticate);
+			response.setStatus(HttpStatus.UNAUTHORIZED.value());
+		}
+
+		private static String toWWWAuthenticateHeader(Map<String, String> parameters) {
+			StringBuilder wwwAuthenticate = new StringBuilder();
+			wwwAuthenticate.append(OAuth2AccessToken.TokenType.DPOP.getValue());
+			if (!parameters.isEmpty()) {
+				wwwAuthenticate.append(" ");
+				int i = 0;
+				for (Map.Entry<String, String> entry : parameters.entrySet()) {
+					wwwAuthenticate.append(entry.getKey()).append("=\"").append(entry.getValue()).append("\"");
+					if (i++ != parameters.size() - 1) {
+						wwwAuthenticate.append(", ");
+					}
+				}
+			}
+			return wwwAuthenticate.toString();
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -37,6 +37,7 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHt
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
@@ -49,13 +50,14 @@ import org.springframework.security.oauth2.server.resource.introspection.OpaqueT
 import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
-import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
 import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler;
+import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
+import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.csrf.CsrfException;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
 import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
@@ -156,7 +158,7 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
 
-	private BearerTokenResolver bearerTokenResolver;
+	private AuthenticationConverter authenticationConverter;
 
 	private JwtConfigurer jwtConfigurer;
 
@@ -196,22 +198,20 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	public OAuth2ResourceServerConfigurer<H> bearerTokenResolver(BearerTokenResolver bearerTokenResolver) {
 		Assert.notNull(bearerTokenResolver, "bearerTokenResolver cannot be null");
-		this.bearerTokenResolver = bearerTokenResolver;
+		this.authenticationConverter = new BearerTokenResolverHoldingAuthenticationConverter(bearerTokenResolver);
 		return this;
 	}
 
 	/**
-	 * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} or
-	 * {@code jwt(Customizer.withDefaults())} to stick with defaults. See the <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
+	 * Sets the {@link AuthenticationConverter} to use.
+	 * @param authenticationConverter the authentication converter
+	 * @return the {@link OAuth2ResourceServerConfigurer} for further configuration
+	 * @since 7.0
 	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public JwtConfigurer jwt() {
-		if (this.jwtConfigurer == null) {
-			this.jwtConfigurer = new JwtConfigurer(this.context);
-		}
-		return this.jwtConfigurer;
+	public OAuth2ResourceServerConfigurer<H> authenticationConverter(AuthenticationConverter authenticationConverter) {
+		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+		this.authenticationConverter = authenticationConverter;
+		return this;
 	}
 
 	/**
@@ -228,21 +228,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		return this;
 	}
 
-	/**
-	 * @deprecated For removal in 7.0. Use {@link #opaqueToken(Customizer)} or
-	 * {@code opaqueToken(Customizer.withDefaults())} to stick with defaults. See the
-	 * <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public OpaqueTokenConfigurer opaqueToken() {
-		if (this.opaqueTokenConfigurer == null) {
-			this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context);
-		}
-		return this.opaqueTokenConfigurer;
-	}
-
 	/**
 	 * Enables opaque bearer token support.
 	 * @param opaqueTokenCustomizer the {@link Customizer} to provide more options for the
@@ -271,16 +256,15 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	@Override
 	public void configure(H http) {
-		BearerTokenResolver bearerTokenResolver = getBearerTokenResolver();
-		this.requestMatcher.setBearerTokenResolver(bearerTokenResolver);
 		AuthenticationManagerResolver resolver = this.authenticationManagerResolver;
 		if (resolver == null) {
 			AuthenticationManager authenticationManager = getAuthenticationManager(http);
 			resolver = (request) -> authenticationManager;
 		}
 
-		BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(resolver);
-		filter.setBearerTokenResolver(bearerTokenResolver);
+		AuthenticationConverter converter = getAuthenticationConverter();
+		this.requestMatcher.setAuthenticationConverter(converter);
+		BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(resolver, converter);
 		filter.setAuthenticationEntryPoint(this.authenticationEntryPoint);
 		filter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		filter = postProcess(filter);
@@ -363,16 +347,33 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		return http.getSharedObject(AuthenticationManager.class);
 	}
 
-	BearerTokenResolver getBearerTokenResolver() {
-		if (this.bearerTokenResolver == null) {
-			if (this.context.getBeanNamesForType(BearerTokenResolver.class).length > 0) {
-				this.bearerTokenResolver = this.context.getBean(BearerTokenResolver.class);
-			}
-			else {
-				this.bearerTokenResolver = new DefaultBearerTokenResolver();
-			}
+	AuthenticationManagerResolver<HttpServletRequest> getAuthenticationManagerResolver() {
+		return this.authenticationManagerResolver;
+	}
+
+	AuthenticationConverter getAuthenticationConverter() {
+		if (this.authenticationConverter != null) {
+			return this.authenticationConverter;
 		}
-		return this.bearerTokenResolver;
+		if (this.context.getBeanNamesForType(AuthenticationConverter.class).length > 0) {
+			this.authenticationConverter = this.context.getBean(AuthenticationConverter.class);
+		}
+		else if (this.context.getBeanNamesForType(BearerTokenResolver.class).length > 0) {
+			BearerTokenResolver bearerTokenResolver = this.context.getBean(BearerTokenResolver.class);
+			this.authenticationConverter = new BearerTokenResolverHoldingAuthenticationConverter(bearerTokenResolver);
+		}
+		else {
+			this.authenticationConverter = new BearerTokenAuthenticationConverter();
+		}
+		return this.authenticationConverter;
+	}
+
+	BearerTokenResolver getBearerTokenResolver() {
+		AuthenticationConverter authenticationConverter = getAuthenticationConverter();
+		if (authenticationConverter instanceof OAuth2ResourceServerConfigurer.BearerTokenResolverHoldingAuthenticationConverter bearer) {
+			return bearer.bearerTokenResolver;
+		}
+		return null;
 	}
 
 	public class JwtConfigurer {
@@ -411,17 +412,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			return this;
 		}
 
-		/**
-		 * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} or
-		 * {@code jwt(Customizer.withDefaults())} to stick with defaults. See the <a href=
-		 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-		 * for more details.
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public OAuth2ResourceServerConfigurer<H> and() {
-			return OAuth2ResourceServerConfigurer.this;
-		}
-
 		Converter<Jwt, ? extends AbstractAuthenticationToken> getJwtAuthenticationConverter() {
 			if (this.jwtAuthenticationConverter == null) {
 				if (this.context.getBeanNamesForType(JwtAuthenticationConverter.class).length > 0) {
@@ -560,21 +550,41 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	private static final class BearerTokenRequestMatcher implements RequestMatcher {
 
-		private BearerTokenResolver bearerTokenResolver;
+		private AuthenticationConverter authenticationConverter;
 
 		@Override
 		public boolean matches(HttpServletRequest request) {
 			try {
-				return this.bearerTokenResolver.resolve(request) != null;
+				return this.authenticationConverter.convert(request) != null;
 			}
 			catch (OAuth2AuthenticationException ex) {
 				return false;
 			}
 		}
 
-		void setBearerTokenResolver(BearerTokenResolver tokenResolver) {
-			Assert.notNull(tokenResolver, "resolver cannot be null");
-			this.bearerTokenResolver = tokenResolver;
+		void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
+			Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+			this.authenticationConverter = authenticationConverter;
+		}
+
+	}
+
+	private static final class BearerTokenResolverHoldingAuthenticationConverter implements AuthenticationConverter {
+
+		private final BearerTokenResolver bearerTokenResolver;
+
+		private final AuthenticationConverter authenticationConverter;
+
+		BearerTokenResolverHoldingAuthenticationConverter(BearerTokenResolver bearerTokenResolver) {
+			this.bearerTokenResolver = bearerTokenResolver;
+			BearerTokenAuthenticationConverter authenticationConverter = new BearerTokenAuthenticationConverter();
+			authenticationConverter.setBearerTokenResolver(bearerTokenResolver);
+			this.authenticationConverter = authenticationConverter;
+		}
+
+		@Override
+		public Authentication convert(HttpServletRequest request) {
+			return this.authenticationConverter.convert(request);
 		}
 
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -27,6 +27,7 @@ import org.opensaml.core.Version;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.RequestMatcherFactory;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -111,7 +112,7 @@ import org.springframework.util.StringUtils;
  * </ul>
  *
  * @since 5.2
- * @see HttpSecurity#saml2Login()
+ * @see HttpSecurity#saml2Login(Customizer)
  * @see Saml2WebSsoAuthenticationFilter
  * @see Saml2WebSsoAuthenticationRequestFilter
  * @see RelyingPartyRegistrationRepository