Use authorizeHttpRequests

Issue gh-15174

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -331,8 +331,8 @@ public HttpSecurity cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin((formLogin) -&gt;
@@ -465,8 +465,8 @@ public HttpSecurity portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> po
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.jee((jee) -&gt;
@@ -545,8 +545,8 @@ public HttpSecurity jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer) t
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.x509(withDefaults());
@@ -582,8 +582,8 @@ public HttpSecurity x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -865,8 +865,8 @@ public HttpSecurity authorizeHttpRequests(
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.requestCache((requestCache) -&gt;
@@ -904,8 +904,8 @@ public HttpSecurity requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			// sample exception handling customization
@@ -1042,8 +1042,8 @@ public HttpSecurity csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1098,8 +1098,8 @@ public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCust
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1135,8 +1135,8 @@ public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCust
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1188,8 +1188,8 @@ public HttpSecurity anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anon
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults());
@@ -1218,8 +1218,8 @@ public HttpSecurity anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anon
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin((formLogin) -&gt;
@@ -1298,8 +1298,8 @@ public HttpSecurity formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> form
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.saml2Login(withDefaults());
@@ -1387,7 +1387,7 @@ public HttpSecurity saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> sa
 	 *		&#064;Bean
 	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
 	 *			http
-	 *				.authorizeRequests((authorize) -&gt; authorize
+	 *				.authorizeHttpRequests((authorize) -&gt; authorize
 	 *					.anyRequest().authenticated()
 	 *				)
 	 *				.saml2Login(withDefaults())
@@ -1516,8 +1516,8 @@ public HttpSecurity saml2Metadata(Customizer<Saml2MetadataConfigurer<HttpSecurit
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.oauth2Login(withDefaults());
@@ -1596,8 +1596,8 @@ public HttpSecurity oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oi
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.oauth2Client(withDefaults());
@@ -1635,8 +1635,8 @@ public HttpSecurity oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.anyRequest().authenticated()
 	 * 			)
 	 * 			.oauth2ResourceServer((oauth2ResourceServer) -&gt;
@@ -1731,8 +1731,8 @@ public HttpSecurity oneTimeTokenLogin(
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.formLogin(withDefaults())
@@ -1833,8 +1833,8 @@ public HttpSecurity redirectToHttps(
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests((authorizeRequests) -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.httpBasic(withDefaults());
@@ -1878,8 +1878,8 @@ public HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> http
 	 * 	&#064;Bean
 	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeRequests(authorizeRequests -&gt;
-	 * 				authorizeRequests
+	 * 			.authorizeHttpRequests(authorizeHttpRequests -&gt;
+	 * 				authorizeHttpRequests
 	 * 					.requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
 	 * 			)
 	 * 			.passwordManagement(passwordManagement -&gt;

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java

@@ -99,11 +99,11 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java

@@ -126,11 +126,11 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
 			}
 			if (authorizationFilter != null && filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"It is not recommended to use authorizeRequests in the configuration. Please only use authorizeHttpRequests");
+						"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
 			}
 			if (filterSecurityInterceptor != null) {
 				this.logger.warn(
-						"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration");
+						"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
 			}
 			authorizationFilter = null;
 			filterSecurityInterceptor = null;

config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt

@@ -40,7 +40,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher
  *     @Bean
  *     fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
  *         http {
- *             authorizeRequests {
+ *             authorizeHttpRequests {
  *                 authorize("/public", permitAll)
  *                 authorize(anyRequest, authenticated)
  *             }

config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java

@@ -52,7 +52,7 @@ public class SecurityConfig {
 	SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeRequests((requests) -> requests
+			.authorizeHttpRequests((requests) -> requests
 				.requestMatchers(pathPattern("/*")).permitAll())
 			.authenticationProvider(authenticationProvider());
 		// @formatter:on

config/src/test/java/org/springframework/security/config/annotation/sec2758/Sec2758Tests.java

@@ -38,7 +38,9 @@
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -84,11 +86,13 @@ public void methodSecurityWhenNullifyingRolePrefixThenPassivityRestored() {
 	static class SecurityConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, WebExpressionAuthorizationManager.Builder authz)
+				throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
-					.anyRequest().access("hasAnyRole('CUSTOM')"));
+				.authorizeHttpRequests((requests) -> requests
+					.anyRequest().access(authz.expression("hasAnyRole('CUSTOM')"))
+				);
 			return http.build();
 			// @formatter:on
 		}
@@ -103,6 +107,16 @@ static DefaultRolesPrefixPostProcessor defaultRolesPrefixPostProcessor() {
 			return new DefaultRolesPrefixPostProcessor();
 		}
 
+		@Bean
+		static WebExpressionAuthorizationManager.Builder authz(DefaultHttpSecurityExpressionHandler expressionHandler) {
+			return WebExpressionAuthorizationManager.withExpressionHandler(expressionHandler);
+		}
+
+		@Bean
+		static DefaultHttpSecurityExpressionHandler expressionHandler() {
+			return new DefaultHttpSecurityExpressionHandler();
+		}
+
 		@RestController
 		static class RootController {
 
@@ -140,6 +154,9 @@ public Object postProcessAfterInitialization(Object bean, String beanName) throw
 			if (bean instanceof DefaultWebSecurityExpressionHandler) {
 				((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix(null);
 			}
+			if (bean instanceof DefaultHttpSecurityExpressionHandler http) {
+				http.setDefaultRolePrefix("");
+			}
 			return bean;
 		}
 

config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java

@@ -85,7 +85,7 @@ static class AntMatchersAfterAnyRequestConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(pathPattern("/demo/**")).permitAll());
 			return http.build();
@@ -102,7 +102,7 @@ static class MvcMatchersAfterAnyRequestConfig {
 		SecurityFilterChain filterChain(HttpSecurity http, PathPatternRequestMatcher.Builder builder) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(builder.matcher("/demo/**")).permitAll());
 			return http.build();
@@ -119,7 +119,7 @@ static class RegexMatchersAfterAnyRequestConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(new RegexRequestMatcher(".*", null)).permitAll());
 			return http.build();
@@ -136,7 +136,7 @@ static class AnyRequestAfterItselfConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.anyRequest().permitAll());
 			return http.build();
@@ -153,7 +153,7 @@ static class RequestMatchersAfterAnyRequestConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated()
 					.requestMatchers(pathPattern("/**")).permitAll());
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java

@@ -152,7 +152,7 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 				.securityMatchers((security) -> security
 					.requestMatchers(pathPattern("/api/**"))
 					.requestMatchers(pathPattern("/oauth/**")))
-				.authorizeRequests((requests) -> requests
+				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().hasRole("USER"))
 				.httpBasic(withDefaults());
 			return http.build();

config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAuthenticationManagerTests.java

@@ -84,7 +84,7 @@ static class AuthenticationManagerConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authz) -> authz
+					.authorizeHttpRequests((authz) -> authz
 							.anyRequest().authenticated()
 					)
 					.httpBasic(withDefaults())
@@ -106,7 +106,7 @@ static class AuthenticationManagerBuilderConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests((authz) -> authz
+					.authorizeHttpRequests((authz) -> authz
 						.anyRequest().authenticated()
 					)
 					.httpBasic(withDefaults())