RequestMatcherDelegatingAuthorizationManager defaults to deny

Closes gh-11958

Author: jgrandja

config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java

@@ -34,7 +34,6 @@
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.beans.factory.xml.XmlReaderContext;
-import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.ObservationAuthorizationManager;
 import org.springframework.security.config.Elements;
@@ -43,7 +42,6 @@
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
@@ -197,8 +195,7 @@ public AuthorizationManager<HttpServletRequest> getObject() throws Exception {
 					.entrySet()) {
 				builder.add(entry.getKey(), entry.getValue());
 			}
-			AuthorizationManager<HttpServletRequest> manager = builder
-					.add(AnyRequestMatcher.INSTANCE, AuthenticatedAuthorizationManager.authenticated()).build();
+			AuthorizationManager<HttpServletRequest> manager = builder.build();
 			if (!this.observationRegistry.isNoop()) {
 				return new ObservationAuthorizationManager<>(this.observationRegistry, manager);
 			}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java

@@ -358,15 +358,15 @@ public void getWhenServletPathRoleAdminConfiguredAndRoleIsUserThenRespondsWithFo
 	}
 
 	@Test
-	public void getWhenServletPathRoleAdminConfiguredAndRoleIsUserAndWithoutServletPathThenRespondsWithOk()
+	public void getWhenServletPathRoleAdminConfiguredAndRoleIsUserAndWithoutServletPathThenRespondsWithForbidden()
 			throws Exception {
 		this.spring.register(ServletPathConfig.class, BasicController.class).autowire();
 		// @formatter:off
 		MockHttpServletRequestBuilder requestWithUser = get("/")
 				.with(user("user")
 				.roles("USER"));
 		// @formatter:on
-		this.mvc.perform(requestWithUser).andExpect(status().isOk());
+		this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java

@@ -139,7 +139,10 @@ public void passwordEncoderBeanUsed() throws Exception {
 				+ "<user-service>"
 				+ "  <user name='user' password='password' authorities='ROLE_A,ROLE_B' />"
 				+ "</user-service>"
-				+ "<http/>")
+				+ "<http>"
+				+ "  <intercept-url pattern=\"/**\" access=\"authenticated\"/>"
+				+ "  <http-basic />"
+				+ "</http>")
 				.mockMvcAfterSpringSecurityOk()
 				.autowire();
 		this.mockMvc.perform(get("/").with(httpBasic("user", "password")))

config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java

@@ -120,7 +120,7 @@ public void requestWhenUsingPatchAndAuthorizationManagerThenAuthorizesRequestsAc
 		this.spring.configLocations(this.xml("PatchMethodAuthorizationManager")).autowire();
 		// @formatter:off
 		this.mvc.perform(get("/path").with(userCredentials()))
-				.andExpect(status().isOk());
+				.andExpect(status().isForbidden());
 		this.mvc.perform(patch("/path").with(userCredentials()))
 				.andExpect(status().isForbidden());
 		this.mvc.perform(patch("/path").with(adminCredentials()))

config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -85,6 +85,7 @@ public void changeSessionIdThenPreserveParameters() throws Exception {
 		String id = request.getSession().getId();
 		// @formatter:off
 		loadContext("<http>\n"
+				+ "        <intercept-url pattern=\"/**\" access=\"authenticated\"/>\n"
 				+ "        <form-login/>\n"
 				+ "        <session-management/>\n"
 				+ "        <csrf disabled='true'/>\n"
@@ -107,6 +108,7 @@ public void changeSessionId() throws Exception {
 		String id = request.getSession().getId();
 		// @formatter:off
 		loadContext("<http>\n"
+				+ "        <intercept-url pattern=\"/**\" access=\"authenticated\"/>\n"
 				+ "        <form-login/>\n"
 				+ "        <session-management session-fixation-protection='changeSessionId'/>\n"
 				+ "        <csrf disabled='true'/>\n"

config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt

@@ -512,7 +512,7 @@ class AuthorizeHttpRequestsDslTests {
                 request.servletPath = "/other"
                 request
             })
-            .andExpect(status().isOk)
+            .andExpect(status().isForbidden)
     }
 
     @Configuration
@@ -602,7 +602,7 @@ class AuthorizeHttpRequestsDslTests {
                     servletPath = "/other"
                 }
             })
-            .andExpect(status().isOk)
+            .andExpect(status().isForbidden)
     }
 
     @Configuration

config/src/test/resources/org/springframework/security/config/authentication/PasswordEncoderParserTests-bean.xml

@@ -1,5 +1,5 @@
 <!--
-  ~ Copyright 2002-2017 the original author or authors.
+  ~ Copyright 2002-2022 the original author or authors.
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -22,7 +22,10 @@
 
 	<b:bean id="passwordEncoder" class="org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method="getInstance"/>
 
-	<http />
+	<http>
+		<intercept-url pattern="/**" access="authenticated"/>
+		<http-basic />
+	</http>
 
 	<authentication-manager>
 		<authentication-provider>

config/src/test/resources/org/springframework/security/config/authentication/PasswordEncoderParserTests-default.xml

@@ -3,7 +3,10 @@
 		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 		 xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
 						http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
-	<http />
+	<http>
+		<intercept-url pattern="/**" access="authenticated"/>
+		<http-basic />
+	</http>
 
 	<authentication-manager>
 		<authentication-provider>

config/src/test/resources/org/springframework/security/config/debug/SecurityDebugBeanFactoryPostProcessorTests-context.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright 2002-2018 the original author or authors.
+  ~ Copyright 2002-2022 the original author or authors.
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -25,7 +25,9 @@
 
 	<debug/>
 
-	<http/>
+	<http auto-config="true">
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
 
 	<authentication-manager>
 		<authentication-provider ref="authProvider"/>

config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithAccessDeniedHandler.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright 2002-2018 the original author or authors.
+  ~ Copyright 2002-2022 the original author or authors.
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 	<http auto-config="true">
 		<access-denied-handler ref="accessDeniedHandler"/>
 		<csrf/>
+		<intercept-url pattern="/**" access="authenticated"/>
 	</http>
 
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>