Spring Security Final SecuredAuthorizationManager + use in SecurityFilterChain

Summary

I'm trying to use the AuthorizationManager as a supersedes for AccessDecisionManagerand AccessDecisionVoter, to implement my custom DecisionVoter, but when I use the SecuredAuthorizationManager as an implementation for AuthorizationManager to handle method invocation using @Secured, I found that SecuredAuthorizationManager is not supported in SecurityFilterChain like :

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
public class DefaultWebSecurityConfiguration {

  @Bean
  public SecurityFilterChain configure(
      HttpSecurity httpSecurity)
      throws Exception {
    httpSecurity.authorizeHttpRequests(
            (authorize) -> {
              authorize.anyRequest().access(new SecuredAuthorizationManager()); //Required type : AuthorizationManager <org.springframework.security.web.access.intercept.RequestAuthorizationContext> Provided: SecuredAuthorizationManager
            });
    return httpSecurity.build();
  }

Required type : AuthorizationManager Provided: SecuredAuthorizationManager (MethodInvocation)

Also with the final in SecuredAuthorizationManager we can not customize its check method ?

Actual Behavior

AuthorizationManager always using the RequestMatcherDelegatingAuthorizationManager implementation .

Expected Behavior

• Could you remove final in SecuredAuthorizationManager so we can customize the check method ?

Configuration

Version

spring-security-core:6.0.3

Sample

Comment From: jzheaux

Thanks for getting in touch! It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.

Comment From: yasstec

Why the SecuredAuthorizationManager is final ?