From dadf4c0b8a75a02de27e6edf0dac9e272ac7ea07 Mon Sep 17 00:00:00 2001
From: DingHao <dh.hiekn@gmail.com>
Date: Thu, 10 Jul 2025 10:53:22 +0800
Subject: [PATCH] Remove shouldFilterAllDispatcherTypes

Closes gh-12139

Signed-off-by: DingHao <dh.hiekn@gmail.com>
---
 .../AuthorizeHttpRequestsConfigurer.java      | 33 -----------
 .../web/AuthorizeHttpRequestsDsl.kt           | 24 +-------
 .../config/http/InterceptUrlConfigTests.java  | 24 +-------
 .../web/AuthorizeHttpRequestsDslTests.kt      |  8 +--
 ...figTests-FilterAllDispatcherTypesFalse.xml | 55 -------------------
 .../access/intercept/AuthorizationFilter.java | 30 ----------
 .../intercept/AuthorizationFilterTests.java   |  4 +-
 7 files changed, 9 insertions(+), 169 deletions(-)
 delete mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-FilterAllDispatcherTypesFalse.xml

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
index 1f24c4086e..9ee138554d 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
@@ -110,7 +110,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		AuthorizationManager<HttpServletRequest> authorizationManager = this.registry.createAuthorizationManager();
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
 		authorizationFilter.setAuthorizationEventPublisher(this.publisher);
-		authorizationFilter.setShouldFilterAllDispatcherTypes(this.registry.shouldFilterAllDispatcherTypes);
 		authorizationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		http.addFilter(postProcess(authorizationFilter));
 	}
@@ -144,8 +143,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 
 		private int mappingCount;
 
-		private boolean shouldFilterAllDispatcherTypes = true;
-
 		private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
 			setApplicationContext(context);
 		}
@@ -191,36 +188,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 			return this;
 		}
 
-		/**
-		 * Sets whether all dispatcher types should be filtered.
-		 * @param shouldFilter should filter all dispatcher types. Default is {@code true}
-		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
-		 * customizations
-		 * @since 5.7
-		 * @deprecated Permit access to the {@link jakarta.servlet.DispatcherType}
-		 * instead. <pre>
-		 * &#064;Configuration
-		 * &#064;EnableWebSecurity
-		 * public class SecurityConfig {
-		 *
-		 * 	&#064;Bean
-		 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		 * 		http
-		 * 		 	.authorizeHttpRequests((authorize) -&gt; authorize
-		 * 				.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-		 * 			 	// ...
-		 * 		 	);
-		 * 		return http.build();
-		 * 	}
-		 * }
-		 * </pre>
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public AuthorizationManagerRequestMatcherRegistry shouldFilterAllDispatcherTypes(boolean shouldFilter) {
-			this.shouldFilterAllDispatcherTypes = shouldFilter;
-			return this;
-		}
-
 	}
 
 	/**
diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt
index 5488dd0289..9f2f8564ec 100644
--- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,27 +41,8 @@ import java.util.function.Supplier
  *
  * @author Yuriy Savchenko
  * @since 5.7
- * @property shouldFilterAllDispatcherTypes whether the [AuthorizationFilter] should filter all dispatcher types
  */
 class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
-    @Deprecated("""
-        Add authorization rules to DispatcherType directly.
-
-        @Configuration
-        @EnableWebSecurity
-        public class SecurityConfig {
-            @Bean
-            public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-                http
-                    .authorizeHttpRequests((authorize) -> authorize
-                        .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-                        // ...
-                    );
-                return http.build();
-            }
-          }
-    """)
-    var shouldFilterAllDispatcherTypes: Boolean? = null
 
     private val authorizationRules = mutableListOf<AuthorizationManagerRule>()
     private val rolePrefix: String
@@ -291,9 +272,6 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
                     }
                 }
             }
-            shouldFilterAllDispatcherTypes?.also { shouldFilter ->
-                requests.shouldFilterAllDispatcherTypes(shouldFilter)
-            }
         }
     }
 
diff --git a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
index 69245d6bac..cffc0e090e 100644
--- a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -337,28 +337,6 @@ public class InterceptUrlConfigTests {
 		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
 	}
 
-	@Test
-	public void requestWhenUsingFilterAllDispatcherTypesFalseThenAuthorizesRequestsAccordingly() throws Exception {
-		this.spring.configLocations(this.xml("FilterAllDispatcherTypesFalse")).autowire();
-		// @formatter:off
-		this.mvc.perform(get("/path").with(userCredentials()))
-				.andExpect(status().isOk());
-		this.mvc.perform(get("/path").with(adminCredentials()))
-				.andExpect(status().isForbidden());
-		this.mvc.perform(get("/error").with((request) -> {
-			request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
-			request.setDispatcherType(DispatcherType.ERROR);
-			return request;
-		})).andExpect(status().isOk());
-		this.mvc.perform(get("/path").with((request) -> {
-			request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/path");
-			request.setDispatcherType(DispatcherType.ERROR);
-			return request;
-		})).andExpect(status().isOk());
-		// @formatter:on
-		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
-	}
-
 	private static RequestPostProcessor adminCredentials() {
 		return httpBasic("admin", "password");
 	}
diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt
index 87adfeb9e5..fba0a28e54 100644
--- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,6 +44,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.*
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext
+import org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher
 import org.springframework.security.web.util.matcher.RegexRequestMatcher
 import org.springframework.test.web.servlet.MockMvc
 import org.springframework.test.web.servlet.get
@@ -632,7 +633,6 @@ class AuthorizeHttpRequestsDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 authorizeHttpRequests {
-                    shouldFilterAllDispatcherTypes = true
                     authorize(anyRequest, denyAll)
                 }
             }
@@ -671,7 +671,6 @@ class AuthorizeHttpRequestsDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 authorizeHttpRequests {
-                    shouldFilterAllDispatcherTypes = true
                     authorize(anyRequest, permitAll)
                 }
             }
@@ -710,7 +709,8 @@ class AuthorizeHttpRequestsDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 authorizeHttpRequests {
-                    shouldFilterAllDispatcherTypes = false
+                    authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), permitAll)
+                    authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC), permitAll)
                     authorize(anyRequest, denyAll)
                 }
             }
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-FilterAllDispatcherTypesFalse.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-FilterAllDispatcherTypesFalse.xml
deleted file mode 100644
index f3c09d2a9d..0000000000
--- a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-FilterAllDispatcherTypesFalse.xml
+++ /dev/null
@@ -1,55 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  ~ Copyright 2002-2022 the original author or authors.
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~       https://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-
-<b:beans xmlns:b="http://www.springframework.org/schema/beans"
-		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-		xmlns="http://www.springframework.org/schema/security"
-		xsi:schemaLocation="
-			http://www.springframework.org/schema/security
-			https://www.springframework.org/schema/security/spring-security.xsd
-			http://www.springframework.org/schema/beans
-			https://www.springframework.org/schema/beans/spring-beans.xsd">
-
-	<http auto-config="true" filter-all-dispatcher-types="false">
-		<intercept-url request-matcher-ref="pathErrorRequestMatcher" access="permitAll()" />
-		<intercept-url request-matcher-ref="errorRequestMatcher" access="authenticated" />
-		<intercept-url pattern="/**" access="hasRole('USER')"/>
-		<http-basic/>
-	</http>
-
-	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
-	<b:bean name="error" class="org.springframework.security.config.http.InterceptUrlConfigTests.ErrorController"/>
-
-	<b:bean name="errorRequestMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
-		<b:constructor-arg value="ERROR"/>
-	</b:bean>
-
-	<b:bean name="errorPathRequestMatcher" class="org.springframework.security.config.http.PathPatternRequestMatcherFactoryBean">
-		<b:constructor-arg value="/error"/>
-	</b:bean>
-
-	<b:bean name="pathErrorRequestMatcher" class="org.springframework.security.web.util.matcher.AndRequestMatcher">
-		<b:constructor-arg>
-			<b:list>
-				<b:ref bean="errorRequestMatcher"/>
-				<b:ref bean="errorPathRequestMatcher"/>
-			</b:list>
-		</b:constructor-arg>
-	</b:bean>
-
-	<b:import resource="userservice.xml"/>
-</b:beans>
diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
index cdda331115..3fb99fe6de 100644
--- a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
@@ -163,36 +163,6 @@ public class AuthorizationFilter extends GenericFilterBean {
 		return this.authorizationManager;
 	}
 
-	/**
-	 * Sets whether to filter all dispatcher types.
-	 * @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default
-	 * is {@code true}
-	 * @since 5.7
-	 * @deprecated Permit access to the {@link jakarta.servlet.DispatcherType} instead.
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class SecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 		 	.authorizeHttpRequests((authorize) -&gt; authorize
-	 * 				.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-	 * 			 	// ...
-	 * 		 	);
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * </pre>
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {
-		this.observeOncePerRequest = !shouldFilterAllDispatcherTypes;
-		this.filterErrorDispatch = shouldFilterAllDispatcherTypes;
-		this.filterAsyncDispatch = shouldFilterAllDispatcherTypes;
-	}
-
 	public boolean isObserveOncePerRequest() {
 		return this.observeOncePerRequest;
 	}
diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
index 62f217d232..7f2aa32953 100644
--- a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
@@ -210,7 +210,9 @@ public class AuthorizationFilterTests {
 	public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesFalseThenDoNotFilter() throws Exception {
 		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
-		authorizationFilter.setShouldFilterAllDispatcherTypes(false);
+		authorizationFilter.setObserveOncePerRequest(true);
+		authorizationFilter.setFilterErrorDispatch(false);
+		authorizationFilter.setFilterAsyncDispatch(false);
 		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
 		mockRequest.setDispatcherType(DispatcherType.ERROR);
 		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");