use-authorization-manager defaults to true

Closes spring-projectsgh-11929

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -716,12 +716,15 @@ private void createRequestCacheFilter() {
 	}
 
 	private void createFilterSecurity(BeanReference authManager) {
-		boolean useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
-		if (useAuthorizationManager) {
+		if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
 			createAuthorizationFilter();
 			return;
 		}
-		if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
+		boolean useAuthorizationManager = true;
+		if (StringUtils.hasText(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
+			useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
+		}
+		if (useAuthorizationManager) {
 			createAuthorizationFilter();
 			return;
 		}

config/src/main/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecorator.java

@@ -93,10 +93,13 @@ protected BeanDefinition createInterceptorDefinition(Node node) {
 
 		boolean supports(Node node) {
 			Element interceptMethodsElt = (Element) node;
-			if (Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
+			if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
 				return true;
 			}
-			return StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR));
+			if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
+				return Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
+			}
+			return true;
 		}
 
 		private Pointcut pointcut(Element interceptorElt, Element protectElt) {

config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

@@ -159,7 +159,10 @@ public BeanDefinition parse(Element element, ParserContext parserContext) {
 	}
 
 	private String parseAuthorization(Element element, ParserContext parserContext) {
-		boolean useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
+		boolean useAuthorizationManager = true;
+		if (StringUtils.hasText(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR))) {
+			useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
+		}
 		if (useAuthorizationManager) {
 			return parseAuthorizationManager(element, parserContext);
 		}

config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc

@@ -178,7 +178,7 @@ intercept-methods.attlist &=
 	## Optional AccessDecisionManager bean ID to be used by the created method security interceptor.
 	attribute access-decision-manager-ref {xsd:token}?
 intercept-methods.attlist &=
-	## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
+	## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
 	attribute use-authorization-manager {xsd:boolean}?
 intercept-methods.attlist &=
 	## Use this AuthorizationManager instead of the default (supercedes use-authorization-manager)
@@ -306,7 +306,7 @@ websocket-message-broker.attrlist &=
 	## Use this AuthorizationManager instead of deriving one from <intercept-message> elements
 	attribute authorization-manager-ref {xsd:string}?
 websocket-message-broker.attrlist &=
-	## Use AuthorizationManager API instead of SecurityMetadatasource
+	## Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
 	attribute use-authorization-manager {xsd:boolean}?
 websocket-message-broker.attrlist &=
 	## Use this SecurityContextHolderStrategy (note only supported in conjunction with the AuthorizationManager API)
@@ -368,7 +368,7 @@ http.attlist &=
 	## If available, runs the request as the Subject acquired from the JaasAuthenticationToken. Defaults to "false".
 	attribute jaas-api-provision {xsd:boolean}?
 http.attlist &=
-	## Use AuthorizationManager API instead of SecurityMetadataSource
+	## Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
 	attribute use-authorization-manager {xsd:boolean}?
 http.attlist &=
 	## Use this AuthorizationManager instead of deriving one from <intercept-url> elements

config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd

@@ -542,7 +542,7 @@
       </xs:attribute>
       <xs:attribute name="use-authorization-manager" type="xs:boolean">
          <xs:annotation>
-            <xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
+            <xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
@@ -967,7 +967,7 @@
       </xs:attribute>
       <xs:attribute name="use-authorization-manager" type="xs:boolean">
          <xs:annotation>
-            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource
+            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
@@ -1325,7 +1325,7 @@
       </xs:attribute>
       <xs:attribute name="use-authorization-manager" type="xs:boolean">
          <xs:annotation>
-            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource
+            <xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>

config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java

@@ -108,7 +108,7 @@ public void interceptUrlsSupportPropertyPlaceholders() {
 	public void parsingWithinFilterSecurityInterceptorIsSuccessful() {
 		// @formatter:off
 		setContext("<b:bean class=\"org.springframework.web.servlet.handler.HandlerMappingIntrospector\" name=\"mvcHandlerMappingIntrospector\"/>" +
-				"<http auto-config='true' use-expressions='false'/>"
+				"<http auto-config='true' use-expressions='false' use-authorization-manager='false'/>"
 				+ "<b:bean id='fsi' class='org.springframework.security.web.access.intercept.FilterSecurityInterceptor' autowire='byType'>"
 				+ "   <b:property name='securityMetadataSource'>"
 				+ "       <filter-security-metadata-source use-expressions='false'>"

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -84,6 +84,7 @@
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
 import org.springframework.security.web.access.channel.ChannelProcessingFilter;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@@ -849,8 +850,7 @@ private void assertThatFiltersMatchExpectedAutoConfigList(String url) {
 		assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class);
 		assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class);
 		assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
-		assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
-				.hasFieldOrPropertyWithValue("observeOncePerRequest", false);
+		assertThat(filters.next()).isInstanceOf(AuthorizationFilter.class);
 	}
 
 	private <T extends Filter> T getFilter(Class<T> filterClass) {

config/src/test/java/org/springframework/security/config/http/NamespaceHttpBasicTests.java

@@ -99,7 +99,7 @@ public void httpBasicWithPasswordEncoder() throws Exception {
 	@Test
 	public void httpBasicCustomSecurityContextHolderStrategy() throws Exception {
 		// @formatter:off
-		loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\"/>\n"
+		loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\" use-authorization-manager=\"false\"/>\n"
 				+  "<authentication-manager id=\"authenticationManager\">\n"
 				+  "	<authentication-provider>\n"
 				+  "		<user-service>\n"

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-AutoConfig.xml

@@ -23,7 +23,9 @@
 		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<http-firewall ref="firewall"/>
-	<http auto-config="true"/>
+	<http auto-config="true">
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
 
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
 

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-CsrfDisabled.xml

@@ -23,6 +23,7 @@
 
 	<http auto-config="true">
 		<csrf disabled="true"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-CsrfEnabled.xml

@@ -25,6 +25,7 @@
 	<http-firewall ref="firewall"/>
 	<http auto-config="true">
 		<intercept-url pattern="/authenticated/**" access="authenticated"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 		<csrf/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithRequestMatcher.xml

@@ -21,7 +21,7 @@
 		 xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
 		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<csrf request-matcher-ref="requestMatcher"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithSessionManagement.xml

@@ -21,7 +21,7 @@
 		 xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
 		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<session-management invalid-session-url="/error/sessionError"/>
 		<csrf/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithXorCsrfTokenRequestAttributeHandler.xml

@@ -24,6 +24,7 @@
 
 	<http auto-config="true">
 		<csrf request-handler-ref="requestHandler"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-ForSec2919.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login login-page="/login"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-ForSec3147.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login login-page="/login"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-NoLeadingSlashDefaultTargetUrl.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login default-target-url="noLeadingSlash"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-NoLeadingSlashLoginPage.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login login-page="noLeadingSlash"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-UsingSpel.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login
 				default-target-url="#{T(org.springframework.security.config.http.WebConfigUtilsTests).URL}/default"

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithAntRequestMatcher.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false" request-matcher="ant">
+	<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithCsrfDisabled.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<csrf disabled="true"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithCsrfEnabled.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<csrf disabled="false"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithCustomSecurityContextHolderStrategy.xml

@@ -24,7 +24,8 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false" security-context-holder-strategy-ref="ref">
+	<http auto-config="true" security-context-holder-strategy-ref="ref">
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithDefaultTargetUrl.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login always-use-default-target="true" default-target-url="/default"/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithSuccessAndFailureHandlers.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false" request-matcher="ant">
+	<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 		<form-login authentication-success-handler-ref="fsh" authentication-failure-handler-ref="fsh"/>
 	</http>

config/src/test/resources/org/springframework/security/config/http/FormLoginConfigTests-WithUsernameAndPasswordParameters.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<form-login username-parameter="xname" password-parameter="xpass"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/HttpConfigTests-Minimal.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<intercept-url pattern="/**" access="ROLE_USER"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/HttpConfigTests-MinimalAuthorizationManager.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-authorization-manager="true">
+	<http auto-config="true">
 		<intercept-url pattern="/**" access="hasRole('USER')"/>
 	</http>
 

config/src/test/resources/org/springframework/security/config/http/HttpCorsConfigTests-RequiresMvc.xml

@@ -25,7 +25,7 @@
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<cors/>
 	</http>
 </b:beans>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-CacheControlDisabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<cache-control disabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentSecurityPolicyWithEmptyDirectives.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers>
 			<content-security-policy policy-directives=""/>
 		</headers>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentSecurityPolicyWithPolicyDirectives.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers>
 			<content-security-policy policy-directives="default-src 'self'"/>
 		</headers>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentSecurityPolicyWithReportOnly.xml

@@ -24,7 +24,7 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true" use-expressions="false">
+	<http auto-config="true" use-expressions="false" use-authorization-manager="false">
 		<headers>
 			<content-security-policy
 					policy-directives="default-src https:; report-uri https://example.org/"

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-ContentTypeOptionsDisabled.xml

@@ -28,6 +28,7 @@
 		<headers>
 			<content-type-options disabled="true"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultConfig.xml

@@ -24,7 +24,9 @@
 			http://www.springframework.org/schema/beans
 			https://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<http auto-config="true"/>
+	<http auto-config="true">
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
 

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithCacheControl.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<cache-control/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsDisabledWithContentSecurityPolicy.xml

@@ -28,6 +28,7 @@
 		<headers defaults-disabled="true">
 			<content-security-policy policy-directives="default-src 'self'"/>
 		</headers>
+		<intercept-url pattern="/**" access="permitAll"/>
 	</http>
 
 	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>