In 5.5 the new AuthorizationManager API was introduced. One place that this API is being used is in the SecurityFilterChain, in combination with the AuthorizationFilter, replacing the FilterSecurityInterceptor.
The current default implementation of WebInvocationPrivilegeEvaluator, DefaultWebInvocationPrivilegeEvaluator, only supports the AbstractSecurityInterceptor.
We should provide an implementation of the WebInvocationPrivilegeEvaluator which delegates the check to an AuthorizationManager instance.
Related: - https://github.com/spring-projects/spring-security/issues/10554
Comment From: marcusdacoregio
Fixed via https://github.com/spring-projects/spring-security/pull/10575