Use PathPatternRequestMatcher in docs

Issue gh-16886
Issue gh-16887

docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc

@@ -128,7 +128,7 @@ This is helpful when, for example, wanting to run HTTP locally and HTTPS in prod
 Defines the `RequestMatcher` strategy used in the `FilterChainProxy` and the beans created by the `intercept-url` to match incoming requests.
 Options are currently `mvc`, `ant`, `regex` and `ciRegex`, for Spring MVC, ant, regular-expression and case-insensitive regular-expression respectively.
 A separate instance is created for each <<nsa-intercept-url,intercept-url>> element using its <<nsa-intercept-url-pattern,pattern>>, <<nsa-intercept-url-method,method>> and <<nsa-intercept-url-servlet-path,servlet-path>> attributes.
-Ant paths are matched using an `AntPathRequestMatcher`, regular expressions are matched using a `RegexRequestMatcher` and for Spring MVC path matching the `MvcRequestMatcher` is used.
+By default, paths are matched using a `PathPatternRequestMatcher`; however, regular expressions are matched using a `RegexRequestMatcher`.
 See the Javadoc for these classes for more details on exactly how the matching is performed.
 MVC is the default strategy if Spring MVC is present in the classpath, if not, Ant paths are used.
 
@@ -226,7 +226,8 @@ Defines a reference to a Spring bean of type `AccessDeniedHandler`.
 [[nsa-cors]]
 == <cors>
 This element allows for configuring a `CorsFilter`.
-If no `CorsFilter` or `CorsConfigurationSource` is specified and Spring MVC is on the classpath, a `HandlerMappingIntrospector` is used as the `CorsConfigurationSource`.
+Either a `CorsFilter` or a `CorsConfigurationSource` must be specified.
+If Spring MVC is present, then it will attempt to look up its `CorsConfigurationSource`.
 
 [[nsa-cors-attributes]]
 === <cors> Attributes

docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc

@@ -1084,7 +1084,7 @@ open class SecurityConfig {
 <3> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role
 <4> Any other request that doesn't match the rules above, will require authentication
 
-The `securityMatcher(s)` and `requestMatcher(s)` methods will decide which `RequestMatcher` implementation fits best for your application: If {spring-framework-reference-url}web.html#spring-web[Spring MVC] is in the classpath, then javadoc:org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher[] will be used, otherwise, javadoc:org.springframework.security.web.util.matcher.AntPathRequestMatcher[] will be used.
+The `securityMatcher(s)` and `requestMatcher(s)` methods will construct ``RequestMatcher``s using a javadoc:org.springframework.security.web.util.matcher.PathPatternRequestMatcher.Builder[] bean, if available.
 You can read more about the Spring MVC integration xref:servlet/integrations/mvc.adoc[here].
 
 If you want to use a specific `RequestMatcher`, just pass an implementation to the `securityMatcher` and/or `requestMatcher` methods:
@@ -1095,7 +1095,7 @@ Java::
 +
 [source,java,role="primary"]
 ----
-import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher; <1>
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.withDefaults; <1>
 import static org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher;
 
 @Configuration
@@ -1107,7 +1107,7 @@ public class SecurityConfig {
 		http
 			.securityMatcher(antMatcher("/api/**"))                              <2>
 			.authorizeHttpRequests((authorize) -> authorize
-				.requestMatchers(antMatcher("/api/user/**")).hasRole("USER")     <3>
+				.requestMatchers(withDefaults().matcher("/api/user/**")).hasRole("USER")     <3>
 				.requestMatchers(regexMatcher("/api/admin/.*")).hasRole("ADMIN") <4>
 				.requestMatchers(new MyCustomRequestMatcher()).hasRole("SUPERVISOR")     <5>
 				.anyRequest().authenticated()
@@ -1130,7 +1130,7 @@ Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher <1>
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.withDefaults <1>
 import org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher
 
 @Configuration
@@ -1142,7 +1142,7 @@ open class SecurityConfig {
         http {
             securityMatcher(antMatcher("/api/**"))                               <2>
             authorizeHttpRequests {
-                authorize(antMatcher("/api/user/**"), hasRole("USER"))           <3>
+                authorize(withDefaults().matcher("/api/user/**"), hasRole("USER"))           <3>
                 authorize(regexMatcher("/api/admin/**"), hasRole("ADMIN"))       <4>
                 authorize(MyCustomRequestMatcher(), hasRole("SUPERVISOR"))       <5>
                 authorize(anyRequest, authenticated)
@@ -1155,9 +1155,9 @@ open class SecurityConfig {
 ----
 ======
 
-<1> Import the static factory methods from `AntPathRequestMatcher` and `RegexRequestMatcher` to create `RequestMatcher` instances.
-<2> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`, using `AntPathRequestMatcher`
-<3> Allow access to URLs that start with `/api/user/` to users with the `USER` role, using `AntPathRequestMatcher`
+<1> Import the static factory methods from `PathPatternRequestMatcher` and `RegexRequestMatcher` to create `RequestMatcher` instances.
+<2> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`, using `PathPatternRequestMatcher`
+<3> Allow access to URLs that start with `/api/user/` to users with the `USER` role, using `PathPatternRequestMatcher`
 <4> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role, using `RegexRequestMatcher`
 <5> Allow access to URLs that match the `MyCustomRequestMatcher` to users with the `SUPERVISOR` role, using a custom `RequestMatcher`
 

docs/modules/ROOT/pages/servlet/configuration/java.adoc

@@ -132,7 +132,7 @@ public class MvcWebApplicationInitializer extends
 ----
 
 The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#authorizing-endpoints[underlying request matchers], so they need to be in the same application context.
-Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `HandlerMappingIntrospector`.
+Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `PathPatternParser`.
 
 ==== Configuring for Multiple Spring MVC Dispatchers
 

docs/modules/ROOT/pages/servlet/exploits/csrf.adoc

@@ -1276,7 +1276,7 @@ XML::
     <b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
     <b:constructor-arg>
         <b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
-            <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+            <b:bean class="org.springframework.security.config.http.PathPatternRequestMatcherFactoryBean">
                 <b:constructor-arg value="/api/*"/>
             </b:bean>
         </b:bean>
@@ -1387,7 +1387,7 @@ public class SecurityConfig {
 		http
 			// ...
 			.logout((logout) -> logout
-				.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
+				.logoutRequestMatcher(PathPatternRequestMatcher.withDefaults().matcher("/logout"))
 			);
 		return http.build();
 	}
@@ -1409,7 +1409,7 @@ class SecurityConfig {
         http {
             // ...
             logout {
-                logoutRequestMatcher = AntPathRequestMatcher("/logout")
+                logoutRequestMatcher = PathPatternRequestMatcher.withDefaults().matcher("/logout")
             }
         }
         return http.build()

docs/modules/ROOT/pages/servlet/exploits/firewall.adoc

@@ -24,7 +24,7 @@ It is, therefore, essential that a `FilterChainProxy` is used to manage the secu
 Note that the `servletPath` and `pathInfo` values are decoded by the container, so your application should not have any valid paths that contain semi-colons, as these parts are removed for matching purposes.
 
 As mentioned earlier, the default strategy is to use Ant-style paths for matching, and this is likely to be the best choice for most users.
-The strategy is implemented in the class `AntPathRequestMatcher`, which uses Spring's `AntPathMatcher` to perform a case-insensitive match of the pattern against the concatenated `servletPath` and `pathInfo`, ignoring the `queryString`.
+The strategy is implemented in the class `PathPatternRequestMatcher`, which uses Spring's `PathPattern` to perform a case-insensitive match of the pattern against the concatenated `servletPath` and `pathInfo`, ignoring the `queryString`.
 
 If you need a more powerful matching strategy, you can use regular expressions.
 The strategy implementation is then `RegexRequestMatcher`.

docs/modules/ROOT/pages/servlet/exploits/headers.adoc

@@ -1218,7 +1218,7 @@ public class WebSecurityConfig {
 
 	@Bean
 	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-		RequestMatcher matcher = new AntPathRequestMatcher("/login");
+		RequestMatcher matcher = PathPatternRequestMatcher.withDefaults().matcher("/login");
 		DelegatingRequestMatcherHeaderWriter headerWriter =
 			new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
 		http
@@ -1248,7 +1248,7 @@ XML::
 <beans:bean id="headerWriter"
 	class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
 	<beans:constructor-arg>
-		<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
+		<bean class="org.springframework.security.config.http.PathPatternRequestMatcherFactoryBean"
 			c:pattern="/login"/>
 	</beans:constructor-arg>
 	<beans:constructor-arg>
@@ -1268,7 +1268,7 @@ class SecurityConfig {
 
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
-        val matcher: RequestMatcher = AntPathRequestMatcher("/login")
+        val matcher: RequestMatcher = PathPatternRequestMatcher.withDefaults().matcher("/login")
         val headerWriter = DelegatingRequestMatcherHeaderWriter(matcher, XFrameOptionsHeaderWriter())
        http {
             headers {

docs/modules/ROOT/pages/servlet/integrations/websocket.adoc

@@ -698,7 +698,7 @@ If we use XML-based configuration, we can use thexref:servlet/appendix/namespace
     <b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
     <b:constructor-arg>
         <b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
-          <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+          <b:bean class="org.springframework.security.config.http.PathPatternRequestMatcherFactoryBean">
             <b:constructor-arg value="/chat/**"/>
           </b:bean>
         </b:bean>