In Spring Security 5, the default AuthorizationManager for RequestMatcherDelegatingAuthorizationManager abstains.
This default should be changed to instead deny.
As part of this commit, AuthorizationFilterParser should no longer add an any-matcher authenticated to the user's configuration.
Comment From: jgrandja
@rwinch This appears to be a duplicate of gh-11963 ?
Comment From: biergit
Hi, I think this issue should be documented as breaking change? Edit: Just saw that it has the label "breaks-passivity" but it doesn't show up in the documentation.