Spring Security Javadoc for AuthorizationFilter#filterErrorDispatch is wrong

In the Spring Security 6.1.1, The javadoc for the setFilterErrorDispatch method of the AuthorizationFilter class states that the default value of the filterErrorDispatch property is false. However, in the AuthorizationFilter code, it is implemented as follows private boolean filterErrorDispatch = true;

Shouldn't it modify the default value to false? The same goes for filterAsyncDispatch.

Comment From: HackSung

@marcusdacoregio First, Thank you for your quick action. Actually, I was expecting to modify the filterErrorDispatch property to false in the code, not to modify the default to true in the javadoc of filterErrorDispatch. The reason is that in the Spring Boot, the default dispatcher type for filter is only DispatcherType.REQUST and DispatcherType.ERROR is missing. Similarly, wouldn't it be more common for AuthorizationFilter to omit cases where the dispatcher type is ERROR?

Comment From: marcusdacoregio

Hi @HackSung, since 6.0 Spring Security applies authorization to every dispatcher type, and Spring Boot is also aligned with that. If you want to allow access to a dispatcher type you must do it explicitly