Merge branch '6.4.x'

sjohnr · sjohnr · commit 3ebcbd4375db · 2025-03-20T14:47:07.000-05:00
Closes gh-16788 Closes gh-16789 Closes gh-16790 Closes gh-16791 Closes gh-16792
diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc
@@ -133,7 +133,7 @@
 *** xref:servlet/appendix/faq.adoc[FAQ]
 * xref:reactive/index.adoc[Reactive Applications]
 ** xref:reactive/getting-started.adoc[Getting Started]
-** Authentication
+** xref:reactive/authentication/index.adoc[Authentication]
 *** xref:reactive/authentication/x509.adoc[X.509 Authentication]
 *** xref:reactive/authentication/logout.adoc[Logout]
 *** Session Management
diff --git a/docs/modules/ROOT/pages/features/authentication/index.adoc b/docs/modules/ROOT/pages/features/authentication/index.adoc
@@ -8,4 +8,4 @@ Once authentication is performed we know the identity and can perform authorizat
 
 Spring Security provides built-in support for authenticating users.
 This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments.
-Refer to the sections on authentication for xref:servlet/authentication/index.adoc#servlet-authentication[Servlet] and xref:servlet/authentication/index.adoc[WebFlux] for details on what is supported for each stack.
+Refer to the sections on authentication for xref:servlet/authentication/index.adoc[Servlet] and xref:reactive/authentication/index.adoc[WebFlux] for details on what is supported for each stack.
diff --git a/docs/modules/ROOT/pages/reactive/authentication/index.adoc b/docs/modules/ROOT/pages/reactive/authentication/index.adoc
@@ -0,0 +1,3 @@
+[[webflux-authentication]]
+= Authentication
+:page-section-summary-toc: 1
diff --git a/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc b/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
@@ -34,7 +34,7 @@ The attributes on the `<http>` element control some of the properties on the cor
 Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
 
 [[nsa-http-authorization-manager-ref]]
-* **access-decision-manager-ref**
+* **use-authorization-manager**
 Use this AuthorizationManager instead of deriving one from <intercept-url> elements
 
 [[nsa-http-access-decision-manager-ref]]
diff --git a/docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc b/docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc
@@ -2,4 +2,4 @@
 = Spring MVC Test Integration
 :page-section-summary-toc: 1
 
-Spring Security provides comprehensive integration with https://docs.spring.io/spring-framework/reference/testing/mockmvc.html[Spring Testing MockMVC]
+Spring Security provides comprehensive integration with {spring-framework-reference-url}testing/mockmvc.html[Spring MVC Test]
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -245,7 +245,7 @@ private static ReactiveOAuth2AuthorizedClientManager createDefaultAuthorizedClie
 	 * be used to create an Authentication for saving.</li>
 	 * </ul>
 	 * @param authorizedClient the {@link OAuth2AuthorizedClient} to use.
-	 * @return the {@link Consumer} to populate the
+	 * @return the {@link Consumer} to populate the attributes
 	 */
 	public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) {
 		return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient);
diff --git a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
@@ -29,20 +29,28 @@ public interface WebInvocationPrivilegeEvaluator {
 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
 	 * object is allowed to invoke the supplied URI.
+	 * <p>
+	 * Note this will only match authorization rules that don't require a certain
+	 * {@code HttpMethod}.
 	 * @param uri the URI excluding the context path (a default context path setting will
 	 * be used)
 	 */
 	boolean isAllowed(String uri, Authentication authentication);
 
 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
-	 * object is allowed to invoke the supplied URI, with the given .
+	 * object is allowed to invoke the supplied URI, with the given parameters.
 	 * <p>
-	 * Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
+	 * Note:
+	 * <ul>
+	 * <li>The default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
 	 * disregards the <code>contextPath</code> when evaluating which secure object
 	 * metadata applies to a given request URI, so generally the <code>contextPath</code>
 	 * is unimportant unless you are using a custom
-	 * <code>FilterInvocationSecurityMetadataSource</code>.
+	 * <code>FilterInvocationSecurityMetadataSource</code>.</li>
+	 * <li>this will only match authorization rules that don't require a certain
+	 * {@code HttpMethod}.</li>
+	 * </ul>
 	 * @param uri the URI excluding the context path
 	 * @param contextPath the context path (may be null).
 	 * @param method the HTTP method (or null, for any method)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[[webflux-authentication]]`
	`2`	`+= Authentication`
	`3`	`+:page-section-summary-toc: 1`