Remove shouldFilterAllDispatcherTypes

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -110,7 +110,6 @@ public void configure(H http) {
 		AuthorizationManager<HttpServletRequest> authorizationManager = this.registry.createAuthorizationManager();
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
 		authorizationFilter.setAuthorizationEventPublisher(this.publisher);
-		authorizationFilter.setShouldFilterAllDispatcherTypes(this.registry.shouldFilterAllDispatcherTypes);
 		authorizationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		http.addFilter(postProcess(authorizationFilter));
 	}
@@ -144,8 +143,6 @@ public final class AuthorizationManagerRequestMatcherRegistry
 
 		private int mappingCount;
 
-		private boolean shouldFilterAllDispatcherTypes = true;
-
 		private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
 			setApplicationContext(context);
 		}
@@ -191,36 +188,6 @@ public AuthorizationManagerRequestMatcherRegistry withObjectPostProcessor(
 			return this;
 		}
 
-		/**
-		 * Sets whether all dispatcher types should be filtered.
-		 * @param shouldFilter should filter all dispatcher types. Default is {@code true}
-		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
-		 * customizations
-		 * @since 5.7
-		 * @deprecated Permit access to the {@link jakarta.servlet.DispatcherType}
-		 * instead. <pre>
-		 * &#064;Configuration
-		 * &#064;EnableWebSecurity
-		 * public class SecurityConfig {
-		 *
-		 * 	&#064;Bean
-		 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		 * 		http
-		 * 		 	.authorizeHttpRequests((authorize) -&gt; authorize
-		 * 				.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-		 * 			 	// ...
-		 * 		 	);
-		 * 		return http.build();
-		 * 	}
-		 * }
-		 * </pre>
-		 */
-		@Deprecated(since = "6.1", forRemoval = true)
-		public AuthorizationManagerRequestMatcherRegistry shouldFilterAllDispatcherTypes(boolean shouldFilter) {
-			this.shouldFilterAllDispatcherTypes = shouldFilter;
-			return this;
-		}
-
 	}
 
 	/**

config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,27 +41,8 @@ import java.util.function.Supplier
  *
  * @author Yuriy Savchenko
  * @since 5.7
- * @property shouldFilterAllDispatcherTypes whether the [AuthorizationFilter] should filter all dispatcher types
  */
 class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
-    @Deprecated("""
-        Add authorization rules to DispatcherType directly.
-
-        @Configuration
-        @EnableWebSecurity
-        public class SecurityConfig {
-            @Bean
-            public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-                http
-                    .authorizeHttpRequests((authorize) -> authorize
-                        .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-                        // ...
-                    );
-                return http.build();
-            }
-          }
-    """)
-    var shouldFilterAllDispatcherTypes: Boolean? = null
 
     private val authorizationRules = mutableListOf<AuthorizationManagerRule>()
     private val rolePrefix: String
@@ -291,9 +272,6 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
                     }
                 }
             }
-            shouldFilterAllDispatcherTypes?.also { shouldFilter ->
-                requests.shouldFilterAllDispatcherTypes(shouldFilter)
-            }
         }
     }
 

config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -337,28 +337,6 @@ public void requestWhenUsingFilterAllDispatcherTypesAndAuthorizationManagerThenA
 		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
 	}
 
-	@Test
-	public void requestWhenUsingFilterAllDispatcherTypesFalseThenAuthorizesRequestsAccordingly() throws Exception {
-		this.spring.configLocations(this.xml("FilterAllDispatcherTypesFalse")).autowire();
-		// @formatter:off
-		this.mvc.perform(get("/path").with(userCredentials()))
-				.andExpect(status().isOk());
-		this.mvc.perform(get("/path").with(adminCredentials()))
-				.andExpect(status().isForbidden());
-		this.mvc.perform(get("/error").with((request) -> {
-			request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
-			request.setDispatcherType(DispatcherType.ERROR);
-			return request;
-		})).andExpect(status().isOk());
-		this.mvc.perform(get("/path").with((request) -> {
-			request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/path");
-			request.setDispatcherType(DispatcherType.ERROR);
-			return request;
-		})).andExpect(status().isOk());
-		// @formatter:on
-		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
-	}
-
 	private static RequestPostProcessor adminCredentials() {
 		return httpBasic("admin", "password");
 	}

config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,6 +44,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.*
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext
+import org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher
 import org.springframework.security.web.util.matcher.RegexRequestMatcher
 import org.springframework.test.web.servlet.MockMvc
 import org.springframework.test.web.servlet.get
@@ -632,7 +633,6 @@ class AuthorizeHttpRequestsDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 authorizeHttpRequests {
-                    shouldFilterAllDispatcherTypes = true
                     authorize(anyRequest, denyAll)
                 }
             }
@@ -671,7 +671,6 @@ class AuthorizeHttpRequestsDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 authorizeHttpRequests {
-                    shouldFilterAllDispatcherTypes = true
                     authorize(anyRequest, permitAll)
                 }
             }
@@ -710,7 +709,8 @@ class AuthorizeHttpRequestsDslTests {
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
             http {
                 authorizeHttpRequests {
-                    shouldFilterAllDispatcherTypes = false
+                    authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), permitAll)
+                    authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC), permitAll)
                     authorize(anyRequest, denyAll)
                 }
             }

web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java

@@ -163,36 +163,6 @@ public AuthorizationManager<HttpServletRequest> getAuthorizationManager() {
 		return this.authorizationManager;
 	}
 
-	/**
-	 * Sets whether to filter all dispatcher types.
-	 * @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default
-	 * is {@code true}
-	 * @since 5.7
-	 * @deprecated Permit access to the {@link jakarta.servlet.DispatcherType} instead.
-	 * <pre>
-	 * &#064;Configuration
-	 * &#064;EnableWebSecurity
-	 * public class SecurityConfig {
-	 *
-	 * 	&#064;Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 		 	.authorizeHttpRequests((authorize) -&gt; authorize
-	 * 				.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-	 * 			 	// ...
-	 * 		 	);
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * </pre>
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {
-		this.observeOncePerRequest = !shouldFilterAllDispatcherTypes;
-		this.filterErrorDispatch = shouldFilterAllDispatcherTypes;
-		this.filterAsyncDispatch = shouldFilterAllDispatcherTypes;
-	}
-
 	public boolean isObserveOncePerRequest() {
 		return this.observeOncePerRequest;
 	}

web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java

@@ -210,7 +210,9 @@ public void doFilterWhenErrorThenDoFilter() throws Exception {
 	public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesFalseThenDoNotFilter() throws Exception {
 		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
-		authorizationFilter.setShouldFilterAllDispatcherTypes(false);
+		authorizationFilter.setObserveOncePerRequest(true);
+		authorizationFilter.setFilterErrorDispatch(false);
+		authorizationFilter.setFilterAsyncDispatch(false);
 		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
 		mockRequest.setDispatcherType(DispatcherType.ERROR);
 		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");