Merge branch '6.0.x' into 6.1.x

Closes gh-13494

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -781,8 +781,8 @@ class HttpConfigurationBuilder {
 		BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class);
 		builder.addPropertyReference("accessDecisionManager", accessManagerId);
 		builder.addPropertyValue("authenticationManager", authManager);
-		if ("false".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
-			builder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
+		if ("true".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
+			builder.addPropertyValue("observeOncePerRequest", Boolean.TRUE);
 		}
 		builder.addPropertyValue("securityMetadataSource", securityMds);
 		builder.addPropertyValue("securityContextHolderStrategy", this.holderStrategyRef);

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -323,6 +323,13 @@ public class MiscHttpConfigTests {
 		assertThat(filterSecurityInterceptor.isObserveOncePerRequest()).isFalse();
 	}
 
+	@Test
+	public void configureWhenOncePerRequestIsTrueThenFilterSecurityInterceptorObserveOncePerRequestIsTrue() {
+		this.spring.configLocations(xml("OncePerRequestTrue")).autowire();
+		FilterSecurityInterceptor filterSecurityInterceptor = getFilter(FilterSecurityInterceptor.class);
+		assertThat(filterSecurityInterceptor.isObserveOncePerRequest()).isTrue();
+	}
+
 	@Test
 	public void requestWhenCustomHttpBasicEntryPointRefThenInvokesOnCommence() throws Exception {
 		this.spring.configLocations(xml("CustomHttpBasicEntryPointRef")).autowire();

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-OncePerRequestTrue.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2023 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http once-per-request="true" use-authorization-manager="false">
+		<http-basic/>
+		<intercept-url pattern="/protected" access="authenticated"/>
+		<intercept-url pattern="/unprotected-forwards-to-protected" access="permitAll"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+	<b:import resource="handlermappingintrospector.xml"/>
+</b:beans>