Remove default HttpSecurity.securityMatcher() for authorization server

Closes gh-17965
2025-10-01 11:45:09 -04:00 · 2025-10-01 11:45:09 -04:00 · 681e166be8
parent 7f10897de3
commit 681e166be8
2 changed files with 4 additions and 5 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
@ -396,8 +396,6 @@ public final class OAuth2AuthorizationServerConfigurer
 					new OrRequestMatcher(preferredMatchers));
 		}

-		httpSecurity.securityMatchers((securityMatchers) -> securityMatchers.requestMatchers(this.endpointsMatcher));
-
 		httpSecurity.csrf((csrf) -> csrf.ignoringRequestMatchers(this.endpointsMatcher));

 		if (getConfigurer(OAuth2ClientRegistrationEndpointConfigurer.class) != null) {
--- a/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/getting-started.adoc
+++ b/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/getting-started.adoc
@ -132,10 +132,11 @@ public class SecurityConfig {

 		// @formatter:off
 		http
-			.oauth2AuthorizationServer((authorizationServer) ->
+			.oauth2AuthorizationServer((authorizationServer) -> {
+				http.securityMatcher(authorizationServer.getEndpointsMatcher());
 				authorizationServer
-					.oidc(Customizer.withDefaults())	// Enable OpenID Connect 1.0
-			)
+					.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0
+			})
 			.authorizeHttpRequests((authorize) ->
 				authorize
 					.anyRequest().authenticated()