Merge branch '6.3.x' into 6.4.x

Closes gh-16782
Closes gh-16783
Closes gh-16784
Closes gh-16785
Closes gh-16786

docs/modules/ROOT/nav.adoc

@@ -132,7 +132,7 @@
 *** xref:servlet/appendix/faq.adoc[FAQ]
 * xref:reactive/index.adoc[Reactive Applications]
 ** xref:reactive/getting-started.adoc[Getting Started]
-** Authentication
+** xref:reactive/authentication/index.adoc[Authentication]
 *** xref:reactive/authentication/x509.adoc[X.509 Authentication]
 *** xref:reactive/authentication/logout.adoc[Logout]
 *** Session Management

docs/modules/ROOT/pages/features/authentication/index.adoc

@@ -8,4 +8,4 @@ Once authentication is performed we know the identity and can perform authorizat
 
 Spring Security provides built-in support for authenticating users.
 This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments.
-Refer to the sections on authentication for xref:servlet/authentication/index.adoc#servlet-authentication[Servlet] and xref:servlet/authentication/index.adoc[WebFlux] for details on what is supported for each stack.
+Refer to the sections on authentication for xref:servlet/authentication/index.adoc[Servlet] and xref:reactive/authentication/index.adoc[WebFlux] for details on what is supported for each stack.

docs/modules/ROOT/pages/reactive/authentication/index.adoc

@@ -0,0 +1,3 @@
+[[webflux-authentication]]
+= Authentication
+:page-section-summary-toc: 1

docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc

@@ -34,7 +34,7 @@ The attributes on the `<http>` element control some of the properties on the cor
 Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
 
 [[nsa-http-authorization-manager-ref]]
-* **access-decision-manager-ref**
+* **use-authorization-manager**
 Use this AuthorizationManager instead of deriving one from <intercept-url> elements
 
 [[nsa-http-access-decision-manager-ref]]

docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc

@@ -2,4 +2,4 @@
 = Spring MVC Test Integration
 :page-section-summary-toc: 1
 
-Spring Security provides comprehensive integration with https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html#spring-mvc-test-framework[Spring MVC Test]
+Spring Security provides comprehensive integration with {spring-framework-reference-url}testing/mockmvc.html[Spring MVC Test]

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -245,7 +245,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	 * be used to create an Authentication for saving.</li>
 	 * </ul>
 	 * @param authorizedClient the {@link OAuth2AuthorizedClient} to use.
-	 * @return the {@link Consumer} to populate the
+	 * @return the {@link Consumer} to populate the attributes
 	 */
 	public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) {
 		return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient);

web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java

@@ -29,6 +29,9 @@ public interface WebInvocationPrivilegeEvaluator {
 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
 	 * object is allowed to invoke the supplied URI.
+	 * <p>
+	 * Note this will only match authorization rules that don't require a certain
+	 * {@code HttpMethod}.
 	 * @param uri the URI excluding the context path (a default context path setting will
 	 * be used)
 	 */
@@ -36,13 +39,18 @@ public interface WebInvocationPrivilegeEvaluator {
 
 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
-	 * object is allowed to invoke the supplied URI, with the given .
+	 * object is allowed to invoke the supplied URI, with the given parameters.
 	 * <p>
-	 * Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
+	 * Note:
+	 * <ul>
+	 * <li>The default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
 	 * disregards the <code>contextPath</code> when evaluating which secure object
 	 * metadata applies to a given request URI, so generally the <code>contextPath</code>
 	 * is unimportant unless you are using a custom
-	 * <code>FilterInvocationSecurityMetadataSource</code>.
+	 * <code>FilterInvocationSecurityMetadataSource</code>.</li>
+	 * <li>this will only match authorization rules that don't require a certain
+	 * {@code HttpMethod}.</li>
+	 * </ul>
 	 * @param uri the URI excluding the context path
 	 * @param contextPath the context path (may be null).
 	 * @param method the HTTP method (or null, for any method)