RequestMatcherDelegatingAuthorizationManager should have a default AuthorizationManager that is invoked when the request does not match any of the configured AuthorizationManagers.
To maintain backward compatibility, the default should return null.