Expected Behavior
The AuthorizationFilter and the DSL should have a property where users can set whether or not they want to apply the filter to all dispatcher types.
Current Behavior
Currently, FilterSecurityInterceptor and AuthorizationFilter only perform authorization checks on the first request. Authorization should be performed on dispatch.
NOTE: We may consider only making these changes to AuthorizationFilter rather than FilterSecurityInterceptor since we are moving towards using AuthorizationManager rather than the old authorization APIs.
Related: - https://github.com/spring-projects/spring-security/issues/11027 - https://github.com/spring-projects/spring-security/issues/10919