Merge branch '5.8.x' into 6.0.x

config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java

@@ -50,7 +50,8 @@ import org.springframework.security.web.csrf.CsrfToken;
  *
  * <h2>Shared Objects Created</h2>
  *
- * No shared objects are created. isLogoutRequest
+ * No shared objects are created.
+ *
  * <h2>Shared Objects Used</h2>
  *
  * The following shared objects are used:

config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java

@@ -48,8 +48,9 @@ import org.springframework.util.Assert;
  * </p>
  *
  * <pre>
- * protected void configure(HttpSecurity http) throws Exception {
- * 	http.apply(new UrlAuthorizationConfigurer&lt;HttpSecurity&gt;()).getRegistry()
+ * &#64;Bean
+ * public SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
+ * 	http.apply(new UrlAuthorizationConfigurer&lt;HttpSecurity&gt;(context)).getRegistry()
  * 			.requestMatchers(&quot;/users**&quot;, &quot;/sessions/**&quot;).hasRole(&quot;USER&quot;)
  * 			.requestMatchers(&quot;/signup&quot;).hasRole(&quot;ANONYMOUS&quot;).anyRequest().hasRole(&quot;USER&quot;);
  * }
@@ -201,24 +202,22 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 			setApplicationContext(context);
 		}
 
+		/**
+		 * @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
+		 */
 		@Override
-		public AuthorizedUrl requestMatchers(String... patterns) {
-			return super.requestMatchers(patterns);
-		}
-
-		@Override
-		public AuthorizedUrl requestMatchers(HttpMethod method, String... patterns) {
-			return super.requestMatchers(method, patterns);
-		}
-
-		@Override
-		public AuthorizedUrl requestMatchers(HttpMethod method) {
-			return super.requestMatchers(method);
+		@Deprecated
+		public MvcMatchersAuthorizedUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
+			return new MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));
 		}
 
+		/**
+		 * @deprecated use {@link #requestMatchers(String...)} instead
+		 */
 		@Override
-		public AuthorizedUrl requestMatchers(RequestMatcher... requestMatchers) {
-			return super.requestMatchers(requestMatchers);
+		@Deprecated
+		public MvcMatchersAuthorizedUrl mvcMatchers(String... patterns) {
+			return mvcMatchers(null, patterns);
 		}
 
 		@Override
@@ -243,6 +242,32 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
+	/**
+	 * An {@link AuthorizedUrl} that allows optionally configuring the
+	 * {@link MvcRequestMatcher#setMethod(HttpMethod)}
+	 *
+	 * @author Rob Winch
+	 */
+	public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
+
+		/**
+		 * Creates a new instance
+		 * @param requestMatchers the {@link RequestMatcher} instances to map
+		 */
+		private MvcMatchersAuthorizedUrl(List<MvcRequestMatcher> requestMatchers) {
+			super(requestMatchers);
+		}
+
+		@SuppressWarnings("unchecked")
+		public AuthorizedUrl servletPath(String servletPath) {
+			for (MvcRequestMatcher matcher : (List<MvcRequestMatcher>) getMatchers()) {
+				matcher.setServletPath(servletPath);
+			}
+			return this;
+		}
+
+	}
+
 	/**
 	 * Maps the specified {@link RequestMatcher} instances to {@link ConfigAttribute}
 	 * instances.

docs/modules/ROOT/pages/servlet/oauth2/resource-server/multitenancy.adoc

@@ -248,7 +248,7 @@ public class TenantJWSKeySelector
 	}
 
 	private JWSKeySelector<SecurityContext> fromTenant(String tenant) {
-		return Optional.ofNullable(this.tenantRepository.findById(tenant)) <3>
+		return Optional.ofNullable(this.tenants.findById(tenant)) <3>
 		        .map(t -> t.getAttrbute("jwks_uri"))
 				.map(this::fromUri)
 				.orElseThrow(() -> new IllegalArgumentException("unknown tenant"));