SEC-2455: form-login@login-processing-url & logout@logout-url use matchers

Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.

config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java

@@ -148,7 +148,10 @@ public class FormLoginBeanDefinitionParser {
             loginUrl = defaultLoginProcessingUrl;
         }
 
-        filterBuilder.addPropertyValue("filterProcessesUrl", loginUrl);
+        BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.logout.LogoutFilter$FilterProcessUrlRequestMatcher");
+        matcherBuilder.addConstructorArgValue(loginUrl);
+
+        filterBuilder.addPropertyValue("requiresAuthenticationRequestMatcher", matcherBuilder.getBeanDefinition());
 
         if (StringUtils.hasText(successHandlerRef)) {
             filterBuilder.addPropertyReference("authenticationSuccessHandler", successHandlerRef);

config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java

@@ -78,7 +78,10 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser {
         if (!StringUtils.hasText(logoutUrl)) {
             logoutUrl = DEF_LOGOUT_URL;
         }
-        builder.addPropertyValue("filterProcessesUrl", logoutUrl);
+        BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter$FilterProcessUrlRequestMatcher");
+        matcherBuilder.addConstructorArgValue(logoutUrl);
+
+        builder.addPropertyValue("logoutRequestMatcher", matcherBuilder.getBeanDefinition());
 
         if (StringUtils.hasText(successHandlerRef)) {
             if (StringUtils.hasText(logoutSuccessUrl)) {

config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy

@@ -6,6 +6,8 @@ import org.springframework.security.web.access.ExceptionTranslationFilter
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.util.ReflectionUtils;
 
 /**
  *
@@ -102,4 +104,18 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
         apf.usernameParameter == 'xname';
         apf.passwordParameter == 'xpass'
     }
+
+    def 'SEC-2455: http@login-processing-url'() {
+        when:
+            xml.http {
+                'form-login'('login-processing-url':'/authenticate')
+            }
+            createAppContext()
+
+            def apf = getFilter(UsernamePasswordAuthenticationFilter);
+
+        then:
+            apf.filterProcessesUrl == null // SEC-2455 setFilterProcessesUrl was not invoked
+            FieldUtils.getFieldValue(apf,'requiresAuthenticationRequestMatcher.filterProcessesUrl') == '/authenticate'
+    }
 }

config/src/test/groovy/org/springframework/security/config/http/LogoutConfigTests.groovy

@@ -0,0 +1,25 @@
+package org.springframework.security.config.http
+
+import org.springframework.security.util.FieldUtils
+import org.springframework.security.web.authentication.logout.LogoutFilter
+
+/**
+ *
+ * @author Rob Winch
+ */
+class LogoutConfigTests extends AbstractHttpConfigTests {
+
+    def 'SEC-2455: logout@logout-url'() {
+        when:
+            httpAutoConfig {
+                'logout'('logout-url':'/logout')
+            }
+            createAppContext()
+
+            def lf = getFilter(LogoutFilter);
+
+        then:
+            lf.filterProcessesUrl == null // SEC-2455 setFilterProcessesUrl was not invoked
+            FieldUtils.getFieldValue(lf,'logoutRequestMatcher.filterProcessesUrl') == '/logout'
+    }
+}

web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java

@@ -125,6 +125,7 @@ public class LogoutFilter extends GenericFilterBean {
     public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) {
         Assert.notNull(logoutRequestMatcher, "logoutRequestMatcher cannot be null");
         this.logoutRequestMatcher = logoutRequestMatcher;
+        this.filterProcessesUrl = null;
     }
 
     @Deprecated