RequestMatcherDelegatingAuthorizationManager
should deny when no match
#11958
Labels
in: web
An issue in web modules (web, webmvc)
type: breaks-passivity
A change that breaks passivity with the previous release
Milestone
In Spring Security 5, the default
AuthorizationManager
forRequestMatcherDelegatingAuthorizationManager
abstains.This default should be changed to instead deny.
As part of this commit,
AuthorizationFilterParser
should no longer add an any-matcher authenticated to the user's configuration.The text was updated successfully, but these errors were encountered: